Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No antivirus or malware removers work.


  • This topic is locked This topic is locked
22 replies to this topic

#1 Torin

Torin

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 16 September 2009 - 03:10 AM

Nothing runs, they all close after a few seconds, here is a win32diag.

http://www.bleepingcomputer.com/forums/t/257949/possible-system-32-issues-and-multiple-malware/


Running from: C:\Documents and Settings\Praha\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Praha\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58F.tmp\ZAP58F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Copy of Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bb339006c086615e2de004d7883b830\0bb339006c086615e2de004d7883b830

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\1abb4643eccf67e5ec8b2a16ba5befb7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a7a44f3060b9de093f833176e196dff7\a7a44f3060b9de093f833176e196dff7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c47336b4131812a4d1c2451b65456451\c47336b4131812a4d1c2451b65456451

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f4fd4ee77827c38e3468e43ad219025c\f4fd4ee77827c38e3468e43ad219025c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\CF12840.exe

[1] 2009-09-16 02:33:29 388608 C:\WINDOWS\system32\CF12840.exe ()



Cannot access: C:\WINDOWS\system32\CF9849.exe

[1] 2009-09-16 01:55:08 388608 C:\WINDOWS\system32\CF9849.exe ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\{8BC6253D-6556-4E73-99EC-C13132E1CB16}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\minis\minis

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\ae94c7c5.sys

[1] 2009-09-16 04:01:45 96384 C:\WINDOWS\system32\drivers\ae94c7c5.sys ()



Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\QuickTime\QuickTime

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca246.tmp\mca246.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca247.tmp\mca247.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca48.tmp\mca48.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca49.tmp\mca49.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca4E.tmp\mca4E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca4F.tmp\mca4F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca6F0.tmp\mca6F0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\mca6F1.tmp\mca6F1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD249.tmp\UPD249.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD4B.tmp\UPD4B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD51.tmp\UPD51.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\temp\UPD6F3.tmp\UPD6F3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Trans_walls\Trans_walls

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\Creative\PD0620\PD0620

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 16 September 2009 - 07:53 AM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 16 September 2009 - 05:19 PM

Hello Torin,

You are infected with a very nasty rootkit. Please follow instructions carefully and in order.


1. Please save this FILE to your desktop. Click on Start > Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



2. Please do the following:

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmd and press Enter

This will launch a Command Prompt window (looks like DOS).

3. Copy the entire Bold text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.

When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy
was not successful.

6. Exit the Command Prompt window.



3. Download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Please post the following when you reply:
  • Win32kDiag.txt
  • Avenger.txt

~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 17 September 2009 - 12:17 AM

Running from: C:\Documents and Settings\Praha\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Praha\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58F.tmp\ZAP58F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58F.tmp\ZAP58F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CDIIWall3res\CDIIWall3res

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Copy of Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Copy of Options\Install\Install

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Found mount point : C:\WINDOWS\Installer\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}\{A987FEC8-5616-49BD-BCA6-ACFFFE7403FE}

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\Install\Install

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bb339006c086615e2de004d7883b830\0bb339006c086615e2de004d7883b830

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0bb339006c086615e2de004d7883b830\0bb339006c086615e2de004d7883b830

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\1abb4643eccf67e5ec8b2a16ba5befb7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\1abb4643eccf67e5ec8b2a16ba5befb7

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a7a44f3060b9de093f833176e196dff7\a7a44f3060b9de093f833176e196dff7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a7a44f3060b9de093f833176e196dff7\a7a44f3060b9de093f833176e196dff7

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c47336b4131812a4d1c2451b65456451\c47336b4131812a4d1c2451b65456451

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c47336b4131812a4d1c2451b65456451\c47336b4131812a4d1c2451b65456451

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f4fd4ee77827c38e3468e43ad219025c\f4fd4ee77827c38e3468e43ad219025c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f4fd4ee77827c38e3468e43ad219025c\f4fd4ee77827c38e3468e43ad219025c

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Cannot access: C:\WINDOWS\system32\CF12840.exe

Attempting to restore permissions of : C:\WINDOWS\system32\CF12840.exe

Cannot access: C:\WINDOWS\system32\CF9849.exe

Attempting to restore permissions of : C:\WINDOWS\system32\CF9849.exe

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ATI

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\{8BC6253D-6556-4E73-99EC-C13132E1CB16}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{8BC6253D-6556-4E73-99EC-C13132E1CB16}\{8BC6253D-6556-4E73-99EC-C13132E1CB16}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\toshiba\pcdiag\v3.0\Logs\Logs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ATI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ATI\ATI

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\minis\minis

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Yahoo\YMP\minis\minis

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Cannot access: C:\WINDOWS\system32\drivers\ae94c7c5.sys

Attempting to restore permissions of : C:\WINDOWS\system32\drivers\ae94c7c5.sys

[1] 2009-09-17 01:06:05 96384 C:\WINDOWS\system32\drivers\ae94c7c5.sys ()



Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\QuickTime\QuickTime

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\QuickTime\QuickTime

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\temp\mca246.tmp\mca246.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca246.tmp\mca246.tmp

Found mount point : C:\WINDOWS\temp\mca247.tmp\mca247.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca247.tmp\mca247.tmp

Found mount point : C:\WINDOWS\temp\mca48.tmp\mca48.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca48.tmp\mca48.tmp

Found mount point : C:\WINDOWS\temp\mca49.tmp\mca49.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca49.tmp\mca49.tmp

Found mount point : C:\WINDOWS\temp\mca4E.tmp\mca4E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca4E.tmp\mca4E.tmp

Found mount point : C:\WINDOWS\temp\mca4F.tmp\mca4F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca4F.tmp\mca4F.tmp

Found mount point : C:\WINDOWS\temp\mca6F0.tmp\mca6F0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca6F0.tmp\mca6F0.tmp

Found mount point : C:\WINDOWS\temp\mca6F1.tmp\mca6F1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\mca6F1.tmp\mca6F1.tmp

Found mount point : C:\WINDOWS\temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00001\MCE00001

Found mount point : C:\WINDOWS\temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00002\MCE00002

Found mount point : C:\WINDOWS\temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00003\MCE00003

Found mount point : C:\WINDOWS\temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00004\MCE00004

Found mount point : C:\WINDOWS\temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00005\MCE00005

Found mount point : C:\WINDOWS\temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00006\MCE00006

Found mount point : C:\WINDOWS\temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00007\MCE00007

Found mount point : C:\WINDOWS\temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00008\MCE00008

Found mount point : C:\WINDOWS\temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00009\MCE00009

Found mount point : C:\WINDOWS\temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000a\MCE0000a

Found mount point : C:\WINDOWS\temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000b\MCE0000b

Found mount point : C:\WINDOWS\temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000c\MCE0000c

Found mount point : C:\WINDOWS\temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000d\MCE0000d

Found mount point : C:\WINDOWS\temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000e\MCE0000e

Found mount point : C:\WINDOWS\temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0000f\MCE0000f

Found mount point : C:\WINDOWS\temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00010\MCE00010

Found mount point : C:\WINDOWS\temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00011\MCE00011

Found mount point : C:\WINDOWS\temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00012\MCE00012

Found mount point : C:\WINDOWS\temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00013\MCE00013

Found mount point : C:\WINDOWS\temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00014\MCE00014

Found mount point : C:\WINDOWS\temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00015\MCE00015

Found mount point : C:\WINDOWS\temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00016\MCE00016

Found mount point : C:\WINDOWS\temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00017\MCE00017

Found mount point : C:\WINDOWS\temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00018\MCE00018

Found mount point : C:\WINDOWS\temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00019\MCE00019

Found mount point : C:\WINDOWS\temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001a\MCE0001a

Found mount point : C:\WINDOWS\temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001b\MCE0001b

Found mount point : C:\WINDOWS\temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001c\MCE0001c

Found mount point : C:\WINDOWS\temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001d\MCE0001d

Found mount point : C:\WINDOWS\temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001e\MCE0001e

Found mount point : C:\WINDOWS\temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0001f\MCE0001f

Found mount point : C:\WINDOWS\temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00020\MCE00020

Found mount point : C:\WINDOWS\temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00021\MCE00021

Found mount point : C:\WINDOWS\temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00022\MCE00022

Found mount point : C:\WINDOWS\temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00023\MCE00023

Found mount point : C:\WINDOWS\temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00024\MCE00024

Found mount point : C:\WINDOWS\temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00025\MCE00025

Found mount point : C:\WINDOWS\temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00026\MCE00026

Found mount point : C:\WINDOWS\temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00027\MCE00027

Found mount point : C:\WINDOWS\temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00028\MCE00028

Found mount point : C:\WINDOWS\temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00029\MCE00029

Found mount point : C:\WINDOWS\temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002a\MCE0002a

Found mount point : C:\WINDOWS\temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002b\MCE0002b

Found mount point : C:\WINDOWS\temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002c\MCE0002c

Found mount point : C:\WINDOWS\temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002d\MCE0002d

Found mount point : C:\WINDOWS\temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002e\MCE0002e

Found mount point : C:\WINDOWS\temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0002f\MCE0002f

Found mount point : C:\WINDOWS\temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00030\MCE00030

Found mount point : C:\WINDOWS\temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00031\MCE00031

Found mount point : C:\WINDOWS\temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00032\MCE00032

Found mount point : C:\WINDOWS\temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00033\MCE00033

Found mount point : C:\WINDOWS\temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00034\MCE00034

Found mount point : C:\WINDOWS\temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00035\MCE00035

Found mount point : C:\WINDOWS\temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00036\MCE00036

Found mount point : C:\WINDOWS\temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00037\MCE00037

Found mount point : C:\WINDOWS\temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00038\MCE00038

Found mount point : C:\WINDOWS\temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00039\MCE00039

Found mount point : C:\WINDOWS\temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003a\MCE0003a

Found mount point : C:\WINDOWS\temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003b\MCE0003b

Found mount point : C:\WINDOWS\temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003c\MCE0003c

Found mount point : C:\WINDOWS\temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003d\MCE0003d

Found mount point : C:\WINDOWS\temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003e\MCE0003e

Found mount point : C:\WINDOWS\temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE0003f\MCE0003f

Found mount point : C:\WINDOWS\temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00040\MCE00040

Found mount point : C:\WINDOWS\temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00041\MCE00041

Found mount point : C:\WINDOWS\temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00042\MCE00042

Found mount point : C:\WINDOWS\temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00043\MCE00043

Found mount point : C:\WINDOWS\temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00044\MCE00044

Found mount point : C:\WINDOWS\temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00045\MCE00045

Found mount point : C:\WINDOWS\temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00046\MCE00046

Found mount point : C:\WINDOWS\temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00047\MCE00047

Found mount point : C:\WINDOWS\temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00048\MCE00048

Found mount point : C:\WINDOWS\temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\MCE00049\MCE00049

Found mount point : C:\WINDOWS\temp\UPD249.tmp\UPD249.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\UPD249.tmp\UPD249.tmp

Found mount point : C:\WINDOWS\temp\UPD4B.tmp\UPD4B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\UPD4B.tmp\UPD4B.tmp

Found mount point : C:\WINDOWS\temp\UPD51.tmp\UPD51.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\UPD51.tmp\UPD51.tmp

Found mount point : C:\WINDOWS\temp\UPD6F3.tmp\UPD6F3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\temp\UPD6F3.tmp\UPD6F3.tmp

Found mount point : C:\WINDOWS\Trans_walls\Trans_walls

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Trans_walls\Trans_walls

Found mount point : C:\WINDOWS\twain_32\Creative\PD0620\PD0620

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\twain_32\Creative\PD0620\PD0620

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700



Finished!


When I go to start>run>type in cmd and enter>then paste copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y, I get the message 'The system cannot find the file specified.'

#5 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 17 September 2009 - 12:21 AM

When I go to my command prompt its at C:\Documents and Settings\Praha, not just C:\?

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 17 September 2009 - 05:17 AM

Hello Torin,

Let's try a different approach.


1. Please do the following:

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmd and press Enter

This will launch a Command Prompt window (looks like DOS).

3. Copy the entire Bold text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\system32\logevent.dll C:\ /y

4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.

When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #2) won't work if the file copy
was not successful.

6. Exit the Command Prompt window.



2. Download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\logevent.dll | C:\WINDOWS\system32\eventlog.dll
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 17 September 2009 - 10:33 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 17 September 2009 - 05:29 PM

Hi,

That's a good sign. :( Let's continue with the cleaning prccess.



1. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.



2. We Need to check for Rootkits with RootRepeal[*]Open Posted Image on your desktop.
[*]Click the Posted Image tab.
[*]Click the Posted Image button.
[*]Check all seven boxes: Posted Image
[*]Push Ok
[*]Check the box for your main system drive (Usually C:), and press Ok.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.
[/list]

3. Download (If you already deleted it) and run Win32kDiag:
Please post the following logs when you reply:
  • Combofix
  • Rootrepeal
  • Win32kDiag

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 17 September 2009 - 10:54 PM

Have all three attached.

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 19 September 2009 - 05:38 AM

Hello Torin,

It will be easier for me to analyze your malware problem if you will directly post the logs instead of attaching them, thanks. :(


1. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.


Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
C:\fjmpqp.exe
C:\wpfpqa.exe
c:\windows\zusyhyg.com
c:\windows\emaqy.dat
c:\documents and settings\Praha\Application Data\wklnhst.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

RegLock:: 
[HKEY_USERS\S-1-5-21-2070348330-2584055491-1958564374-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\ŕ*& xň*ů*O*h**«* *]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



3. Please run your Malwarebytes Anti-Malware. Go to update tab and install all updates and then perform a full scan. When the scan is done it will produce a log, please post that log for my analysis.



4. We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please post the following logs when you reply:
  • Combofix
  • MBAM
  • OTL (OTListIt.txt and Extra.txt)
How's your computer running now?
~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 21 September 2009 - 05:18 PM

Hi,

Are you still with us?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 23 September 2009 - 02:41 AM

Yes sorry.

#13 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 23 September 2009 - 04:06 AM

COMBOFIX LOG

ComboFix 09-09-22.03 - Praha 09/23/2009 4:14.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.118 [GMT -4:00]
Running from: c:\documents and settings\Praha\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Praha\Desktop\cfscript.txt

FILE ::
"c:\documents and settings\Praha\Application Data\wklnhst.dat"
"C:\fjmpqp.exe"
"c:\windows\emaqy.dat"
"c:\windows\zusyhyg.com"
"C:\wpfpqa.exe"
.

((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-09-23 07:45 . 2009-09-23 07:45 -------- d-----w- C:\Combo-Fix22985C
2009-09-21 07:05 . 2009-09-21 07:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-18 10:12 . 2009-09-18 10:12 -------- d-sh--w- c:\documents and settings\Praha\IECompatCache
2009-09-18 07:55 . 2009-09-18 07:55 -------- d-----w- c:\windows\LastGood
2009-09-17 07:30 . 2009-09-17 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-09-16 08:55 . 2009-09-18 03:05 -------- d-----w- C:\Combo-Fix25969C
2009-09-16 08:39 . 2009-09-16 08:55 -------- d-----w- C:\Combo-Fix3827C
2009-09-16 08:12 . 2009-09-16 08:39 -------- d-----w- C:\Combo-Fix
2009-09-16 07:37 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-16 07:36 . 2009-09-16 07:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-16 06:34 . 2009-09-16 08:12 -------- d-----w- C:\ComboFix
2009-09-16 05:50 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 05:50 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-16 05:50 . 2009-09-16 07:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 04:43 . 2009-09-17 07:46 -------- d-----w- c:\program files\Windows Live
2009-09-16 04:19 . 2009-09-17 09:11 -------- d-----w- c:\documents and settings\Praha\Tracing
2009-09-16 04:04 . 2009-09-16 05:11 -------- d-----w- c:\program files\Microsoft
2009-09-16 03:46 . 2009-09-16 03:46 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-16 03:45 . 2009-09-16 04:19 57544 ----a-w- c:\documents and settings\Praha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 17:40 . 2009-09-12 17:40 -------- d-----w- c:\documents and settings\Praha\Local Settings\Application Data\beta
2009-09-12 07:02 . 2009-09-12 07:02 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-12 06:59 . 2009-09-12 06:59 -------- d-----w- c:\program files\real
2009-09-05 08:30 . 2007-03-23 15:01 25792 ----a-w- c:\windows\system32\drivers\pnarp.sys
2009-09-05 08:30 . 2007-03-23 15:01 26944 ----a-w- c:\windows\system32\drivers\purendis.sys
2009-09-05 08:30 . 2009-09-05 08:30 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2009-09-05 08:29 . 2009-09-05 08:29 -------- d-----w- c:\program files\Pure Networks
2009-09-05 08:28 . 2009-09-05 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2009-09-04 16:06 . 2009-09-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 16:06 . 2009-09-11 01:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 16:06 . 2009-09-04 16:06 -------- d-----w- c:\documents and settings\Praha\Application Data\SUPERAntiSpyware.com
2009-09-04 16:00 . 2009-09-16 07:35 -------- d-----w- c:\program files\Lavasoft
2009-08-24 09:56 . 2009-08-24 10:05 -------- d-----w- c:\documents and settings\Praha\Application Data\SoundSpectrum
2009-08-24 09:54 . 2009-08-24 09:54 -------- d-----w- c:\program files\SoundSpectrum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 08:16 . 2006-11-20 17:35 -------- d-----w- c:\documents and settings\Praha\Application Data\StumbleUpon
2009-09-23 05:25 . 2009-06-20 01:01 -------- d-----w- c:\program files\McAfee
2009-09-17 09:08 . 2006-05-28 16:41 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2009-09-17 06:57 . 2008-08-17 13:53 -------- d-----w- c:\program files\Common Files\Stardock
2009-09-16 07:35 . 2008-03-10 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-12 07:04 . 2005-11-05 04:10 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 07:00 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-12 07:00 . 2003-03-19 06:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-09 22:20 . 2007-01-04 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-04 16:10 . 2008-03-13 08:38 -------- d-----w- c:\documents and settings\Praha\Application Data\LimeWire
2009-08-29 06:19 . 2006-05-28 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo
2009-08-29 06:18 . 2005-11-05 04:13 -------- d-----w- c:\program files\Yahoo!
2009-08-29 06:15 . 2009-07-19 07:28 -------- d-----w- c:\program files\Oberon Media
2009-08-29 06:11 . 2006-06-05 04:46 -------- d-----w- c:\program files\Orb Networks
2009-08-29 06:02 . 2008-09-20 08:37 -------- d-----w- c:\program files\Common Files\Apple
2009-08-29 05:59 . 2008-02-29 08:54 -------- d-----w- c:\program files\DivX
2009-08-24 09:54 . 2009-06-01 23:11 -------- d-----w- c:\program files\iTunes
2009-08-23 20:31 . 2005-11-05 02:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-23 20:30 . 2007-07-17 19:20 -------- d-----w- c:\program files\Common Files\TI Shared
2009-08-21 01:44 . 2007-01-28 22:00 -------- d-----w- c:\documents and settings\Praha\Application Data\Skype
2009-08-21 01:20 . 2008-06-29 04:46 -------- d-----w- c:\documents and settings\Praha\Application Data\skypePM
2009-08-21 00:01 . 2009-08-21 00:01 17417 ----a-w- c:\program files\Common Files\ahiv.lib
2009-08-13 08:00 . 2009-08-13 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Expedia
2009-08-13 08:00 . 2009-08-13 08:00 -------- d-----w- c:\program files\Expedia
2009-07-29 08:25 . 2009-07-29 08:25 -------- d-----w- c:\program files\Atari
2009-07-29 03:28 . 2009-07-29 03:20 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-07-29 03:20 . 2009-07-29 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-07-29 03:20 . 2009-07-29 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-07-29 03:20 . 2009-07-29 03:20 -------- d-----w- c:\program files\Logitech
2009-07-29 02:33 . 2009-07-29 02:33 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-07-29 02:33 . 2009-07-29 02:30 -------- d-----w- c:\program files\MSECACHE
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-16 16:32 . 2009-06-20 01:03 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-12 20:25 . 2009-07-12 20:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-08 17:44 . 2009-06-20 01:03 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2009-06-20 01:03 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2009-06-20 01:03 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2009-06-20 01:03 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2009-06-20 01:03 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-03 17:09 . 2005-11-05 00:53 915456 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-18_03.23.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 07:16 . 2009-09-23 05:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-11-05 02:31 . 2009-09-18 03:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-11-05 02:31 . 2009-09-23 05:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-11-05 02:31 . 2009-09-18 03:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-21 07:05 . 2009-09-21 07:05 15709696 c:\windows\Installer\10412967.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-03-06 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-12 198160]
"TFncKy"="TFncKy.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Ad-Aware"="c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe" [2009-09-23 2353992]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57497:TCP"= 57497:TCP:Pando P2P TCP Listening Port
"57497:UDP"= 57497:UDP:Pando P2P UDP Listening Port
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/16/2009 3:37 AM 64160]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 0294911253260540mcinstcleanup;McAfee Application Installer Cleanup (0294911253260540);c:\windows\TEMP\029491~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\029491~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [6/3/2009 4:52 PM 120168]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 07:37]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Praha\Application Data\Mozilla\Firefox\Profiles\6hdpb69h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\documents and settings\Praha\Application Data\Mozilla\Firefox\Profiles\6hdpb69h.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 04:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2070348330-2584055491-1958564374-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\ŕ*& xň*ů*O*h**«* *\InfFile]
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3912)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\browselc.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
.
Completion time: 2009-09-23 4:29
ComboFix-quarantined-files.txt 2009-09-23 08:28
ComboFix2.txt 2009-09-23 08:06
ComboFix3.txt 2009-09-18 03:32

Pre-Run: 7,124,647,936 bytes free
Post-Run: 7,053,602,816 bytes free

233 --- E O F --- 2009-08-21 02:06

OTL LOG

OTL logfile created on: 9/23/2009 4:35:12 AM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Praha\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.17 Mb Total Physical Memory | 90.29 Mb Available Physical Memory | 20.24% Memory free
1.38 Gb Paging File | 0.99 Gb Available in Paging File | 71.71% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.65 Gb Total Space | 6.59 Gb Free Space | 11.84% Space Free | Partition Type: NTFS
Drive D: | 76.57 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TORIN
Current User Name: Praha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2005/08/04 02:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2005/08/04 02:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2004/10/15 16:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2004/10/15 16:54:12 | 00,046,768 | ---- | M] (America Online Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PRC - [2005/01/17 20:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2006/02/07 17:30:40 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2009/07/10 00:26:20 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2007/03/14 15:42:48 | 00,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
PRC - [2004/03/23 23:40:42 | 00,196,608 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apoint.exe
PRC - [2006/03/06 15:03:02 | 00,356,352 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
PRC - [2009/05/26 17:18:30 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2009/05/30 12:30:26 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/02/08 01:12:48 | 00,488,984 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2003/02/26 12:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apntex.exe
PRC - [2004/08/04 08:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2009/05/30 12:30:20 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007/02/06 17:43:26 | 00,252,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
PRC - [2007/02/08 01:12:20 | 00,230,936 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
PRC - [2009/09/12 02:59:41 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/09/23 04:34:39 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Praha\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/07/08 03:13:14 | 00,036,864 | ---- | M] () -- C:\WINDOWS\System32\acs.exe -- (ACS [Auto | Stopped])
SRV - [2004/10/15 16:54:14 | 00,100,016 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor [Auto | Running])
SRV - [2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/08/04 02:02:58 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/06/30 22:49:15 | 00,039,936 | ---- | M] (C-Dilla Ltd) -- C:\WINDOWS\System32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA [Auto | Stopped])
SRV - [2005/01/17 20:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs [Auto | Running])
SRV - [2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/08/28 04:33:00 | 00,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe -- (DVD-RAM_Service [Disabled | Stopped])
SRV - [2004/08/04 08:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/05/30 12:30:20 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/07/12 16:25:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2009/09/23 03:37:46 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (lavasoft ad-aware service [Auto | Stopped])
SRV - [2007/02/06 17:45:26 | 00,109,344 | ---- | M] (Logitech Inc.) -- c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe -- (LVPrcSrv [Auto | Stopped])
SRV - [2007/02/06 17:47:12 | 00,105,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher [Auto | Stopped])
SRV - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2009/07/08 15:15:04 | 00,365,072 | ---- | M] () -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Auto | Running])
SRV - [2009/07/08 13:11:52 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled | Stopped])
SRV - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2007/03/14 15:42:22 | 00,012,800 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe -- (nmraapache [On_Demand | Stopped])
SRV - [2007/03/14 15:42:48 | 00,321,088 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe -- (nmservice [Auto | Running])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/06/03 16:52:26 | 00,120,168 | ---- | M] (stumbleupon.com) -- C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe -- (StumbleUponUpdateService [On_Demand | Stopped])
SRV - [2005/07/12 21:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr [Disabled | Stopped])
SRV - [2006/02/07 17:30:40 | 00,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV [Auto | Running])
SRV - File not found -- -- (winvnc [Auto | Stopped])
SRV - [2006/10/18 22:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - File not found -- -- (0294911253260540mcinstcleanup [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - File not found -- Service key not found. -- (ae94c7c5 [Unknown | Stopped])
DRV - [2006/05/28 12:41:15 | 00,017,801 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2005/11/15 13:00:22 | 01,122,656 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2004/11/15 17:22:08 | 00,101,874 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2005/09/12 22:08:30 | 00,468,736 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Running])
DRV - [2005/08/04 02:10:18 | 01,273,344 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2007/01/31 09:33:46 | 00,005,632 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\DRIVERS\avgarkt.sys -- (AVG Anti-Rootkit [Boot | Running])
DRV - [2007/01/18 08:00:28 | 00,003,968 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\DRIVERS\AvgArCln.sys -- (AvgArCln [System | Running])
DRV - File not found -- -- (catchme [On_Demand | Running])
DRV - [2008/06/30 22:49:13 | 00,008,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS -- (CdaC15BA [Auto | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2005/01/07 21:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/11/10 20:44:12 | 04,064,256 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2005/01/12 04:05:46 | 00,204,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\WINDOWS\system32\drivers\KR10N.sys -- (KR10N [Boot | Running])
DRV - [2009/07/03 10:49:08 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (lbd [Boot | Running])
DRV - [2007/02/06 17:42:40 | 01,691,808 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\LVcKap.sys -- (LVcKap [On_Demand | Running])
DRV - [2007/02/06 17:44:36 | 01,964,064 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LVMVDrv.sys -- (LVMVDrv [On_Demand | Stopped])
DRV - [2007/02/06 17:45:04 | 00,025,632 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon [On_Demand | Running])
DRV - [2007/02/03 14:32:34 | 00,041,504 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\LVUSBSta.sys -- (LVUSBSta [On_Demand | Stopped])
DRV - [2005/06/02 07:33:00 | 00,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) -- C:\WINDOWS\System32\Drivers\meiudf.sys -- (meiudf [System | Running])
DRV - [2009/07/08 13:44:20 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/07/08 13:43:46 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/07/08 13:44:20 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2003/01/29 18:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys -- (Netdevio [Auto | Running])
DRV - [2004/08/04 08:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys -- (NwlnkIpx [Auto | Running])
DRV - [2004/08/04 08:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnknb.sys -- (NwlnkNb [Auto | Running])
DRV - [2004/08/04 08:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys -- (NwlnkSpx [Auto | Running])
DRV - [2007/02/03 14:27:15 | 00,014,240 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\lv302af.sys -- (pepifilter [On_Demand | Stopped])
DRV - [2003/09/19 19:45:48 | 00,021,248 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (pfc [On_Demand | Running])
DRV - [2007/02/03 14:27:27 | 00,938,272 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LV302V32.SYS -- (PID_PEPI [On_Demand | Stopped])
DRV - [2007/03/23 11:01:12 | 00,025,792 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\System32\DRIVERS\pnarp.sys -- (pnarp [Auto | Running])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/23 11:01:46 | 00,026,944 | ---- | M] (Pure Networks, Inc.) -- C:\WINDOWS\System32\DRIVERS\purendis.sys -- (purendis [Auto | Running])
DRV - [2008/02/20 22:05:38 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2005/03/04 15:10:26 | 00,074,496 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 18:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | R--- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2006/11/17 18:05:50 | 00,015,360 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\System32\Drivers\sskbfd.sys -- (SSKBFD [On_Demand | Running])
DRV - [2005/08/24 19:20:28 | 00,009,472 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\tbiosdrv.sys -- (tbiosdrv [On_Demand | Running])
DRV - [2007/12/24 17:37:00 | 00,138,384 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2005/10/20 15:03:42 | 00,006,144 | ---- | M] (Toshiba Corporation) -- C:\WINDOWS\System32\DRIVERS\NBSMI.sys -- (TVALD [On_Demand | Running])
DRV - [2005/11/15 20:40:24 | 00,043,264 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\Tvs.sys -- (Tvs [On_Demand | Running])
DRV - [2004/08/04 01:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2003/01/10 16:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\S-1-5-21-2070348330-2584055491-1958564374-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\S-1-5-21-2070348330-2584055491-1958564374-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:0.7.5.5
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:3.2
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:0.9.7.7
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d07a4843-111f-4699-8551-8ce2afa075cd}:1.6.1.20080314105222
FF - prefs.js..extensions.enabledItems: {FFA36170-80B1-4535-B0E3-A4569E497DD0}:2.0.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.8
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.8.0.4280
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.87
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.1.20080801
FF - prefs.js..extensions.enabledItems: {47d1d620-5e5b-11da-8cd6-0800200c9a66}:2.0
FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.0.1
FF - prefs.js..extensions.enabledItems: {239c61a8-e55f-11db-8314-0800200c9a66}:2.0.7
FF - prefs.js..extensions.enabledItems: {99de5f32-88bf-43c9-b47e-a894a4b72e71}:2.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13
FF - prefs.js..extensions.enabledItems: {a81bafeb-b6ed-4501-aa17-15a2b3857e56}:3.0.3
FF - prefs.js..extensions.enabledItems: {74b288e6-77b6-41c7-8138-bb81f4539689}:3.0.3
FF - prefs.js..extensions.enabledItems: {86FA6F53-95FE-7A69-D8C3-E1454281F8B6}:1.0f3
FF - prefs.js..extensions.enabledItems: kempelton-fx@arvidaxelsson.se:3.0.6
FF - prefs.js..extensions.enabledItems: {d596c130-b00a-11db-abbd-0800200c9a66}:2.080708
FF - prefs.js..extensions.enabledItems: neptune@www.spuler.us:3.0
FF - prefs.js..extensions.enabledItems: NG_Classic@snakehole.net:2.026
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.47
FF - prefs.js..extensions.enabledItems: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.0.2
FF - prefs.js..extensions.enabledItems: rein@notiz.jp:3.0.1
FF - prefs.js..extensions.enabledItems: smoke@www.spuler.us:3.0
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/07/12 16:25:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/12 03:04:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/12 03:06:16 | 00,000,000 | ---D | M]

[2008/08/09 19:00:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Extensions
[2008/08/09 19:00:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/15 22:56:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions
[2008/08/09 19:05:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2008/08/28 21:52:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2008/08/09 19:34:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{239c61a8-e55f-11db-8314-0800200c9a66}
[2009/01/06 22:14:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/08/09 19:13:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{47d1d620-5e5b-11da-8cd6-0800200c9a66}
[2008/08/09 19:37:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
[2008/08/28 21:52:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/09/02 13:31:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2008/09/02 13:31:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{74b288e6-77b6-41c7-8138-bb81f4539689}
[2008/08/09 19:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{86FA6F53-95FE-7A69-D8C3-E1454281F8B6}
[2008/08/09 19:34:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{99de5f32-88bf-43c9-b47e-a894a4b72e71}
[2008/08/28 21:51:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2008/09/02 13:31:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{a81bafeb-b6ed-4501-aa17-15a2b3857e56}
[2008/08/09 19:24:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2008/08/09 19:13:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
[2009/08/18 12:01:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2008/08/09 19:24:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{d07a4843-111f-4699-8551-8ce2afa075cd}
[2008/08/09 19:24:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/08/09 19:34:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{d596c130-b00a-11db-abbd-0800200c9a66}
[2008/08/09 19:39:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
[2008/08/28 21:51:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\kempelton-fx@arvidaxelsson.se
[2008/08/09 19:35:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\neptune@www.spuler.us
[2008/08/09 19:35:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\NG_Classic@snakehole.net
[2008/08/28 21:52:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\piclens@cooliris.com
[2008/08/09 19:16:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\rein@notiz.jp
[2008/08/09 19:36:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Praha\Application Data\mozilla\Firefox\Profiles\6hdpb69h.default\extensions\smoke@www.spuler.us
[2009/08/18 12:01:30 | 00,000,310 | ---- | M] () -- C:\Documents and Settings\Praha\Application Data\Mozilla\FireFox\Profiles\6hdpb69h.default\searchplugins\aim-search.xml
[2009/09/17 04:08:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2007/05/09 02:10:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/08/23 02:51:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/06/29 00:42:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009/07/12 16:26:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/08/23 02:50:24 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/23 02:50:24 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/12 16:25:42 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2006/12/12 12:48:22 | 01,440,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2006/12/21 13:25:07 | 00,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2009/08/23 02:50:42 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2009/09/12 03:04:03 | 00,140,864 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2009/06/01 19:06:02 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/06/01 19:06:03 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/06/01 19:06:04 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/06/01 19:06:04 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/06/01 19:06:05 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/06/01 19:06:05 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/06/01 19:06:05 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/12 03:06:16 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2009/09/12 03:02:58 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2005/08/09 14:42:53 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\mozilla firefox\plugins\npunagi2.dll
[2008/12/27 03:30:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/12/27 03:30:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/12/27 03:30:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/12/27 03:30:00 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/12/27 03:30:00 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/12/27 03:30:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/12/27 03:30:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5c255c8a-e604-49b4-9d64-90988571cecb} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll File not found
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll (stumbleupon.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam10\QuickCam10.exe ()
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [TFncKy] File not found
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe ()
O4 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [Ad-Aware] C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe (Lavasoft)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\Narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [Ad-Aware] C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe (Lavasoft)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\Narrator.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceClassicControlPanel = 1
O7 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2070348330-2584055491-1958564374-1007\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Cake%20Mania%202/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Cake%20Mania%202/Images/armhelper.ocx (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll (Pure Networks, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (C:\WINDOWS\system32\logonuiX.exe) - C:\WINDOWS\System32\logonuiX.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - CLSID or File not found.
O22 - SharedTaskScheduler: {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - Deskscapes - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/05 04:12:54 | 00,000,060 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{432be139-ee66-11da-b4b9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{432be139-ee66-11da-b4b9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{432be139-ee66-11da-b4b9-806d6172696f}\Shell\AutoRun\command - "" = D:\DIR615.exe -- [2002/09/30 00:33:16 | 00,126,976 | R--- | M] (InstallShield Software Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/09/23 04:34:33 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Praha\Desktop\OTL.exe
[2009/09/23 04:25:15 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/23 03:47:11 | 03,318,538 | R--- | C] () -- C:\Documents and Settings\Praha\Desktop\Combo-Fix.exe
[2009/09/23 03:45:17 | 00,000,000 | ---D | C] -- C:\Combo-Fix22985C
[2009/09/21 03:05:50 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/09/21 03:04:24 | 04,938,616 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Praha\My Documents\Silverlight.exe
[2009/09/18 03:55:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/09/17 23:31:51 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Praha\Desktop\RootRepeal.exe
[2009/09/17 23:05:51 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/17 11:36:34 | 01,694,208 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Praha\Desktop\msmsgs.exe
[2009/09/17 05:23:35 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Praha\Desktop\frwnkqsl.exe
[2009/09/17 05:08:00 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/09/17 05:06:08 | 06,291,456 | -H-- | C] () -- C:\Documents and Settings\Praha\Local Settings\Application Data\IconCache.db
[2009/09/17 03:30:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/09/16 04:55:38 | 00,000,000 | ---D | C] -- C:\Combo-Fix25969C
[2009/09/16 04:39:49 | 00,000,000 | ---D | C] -- C:\Combo-Fix3827C
[2009/09/16 04:12:44 | 00,000,000 | ---D | C] -- C:\Combo-Fix
[2009/09/16 03:51:20 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Praha\Desktop\Win32kDiag.exe
[2009/09/16 03:37:09 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/09/16 03:36:19 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/09/16 03:36:12 | 00,000,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/09/16 02:34:05 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/09/16 01:50:07 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/16 01:50:02 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/16 01:50:01 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/16 00:43:58 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/09/16 00:04:47 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/09/16 00:04:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/09/15 23:46:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/09/15 23:45:45 | 00,057,544 | ---- | C] () -- C:\Documents and Settings\Praha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/12 13:40:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Praha\Local Settings\Application Data\beta
[2009/09/12 03:04:04 | 00,185,920 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2009/09/12 03:02:45 | 00,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2009/09/12 03:02:45 | 00,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2009/09/12 03:02:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2009/09/12 03:00:00 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/09/12 02:59:52 | 00,000,000 | ---D | C] -- C:\Program Files\real
[2009/09/12 02:59:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/09/11 07:08:39 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/09/11 06:36:59 | 60,857,536 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Praha\My Documents\Ad-AwareAE.exe
[2009/09/09 17:57:12 | 00,016,360 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\rive.db
[2009/09/09 17:57:10 | 00,014,021 | ---- | C] () -- C:\WINDOWS\ufit.lib
[2009/09/09 17:57:10 | 00,012,577 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\fomep._sy
[2009/09/05 04:31:06 | 00,001,811 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
[2009/09/05 04:30:59 | 00,025,792 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\pnarp.sys
[2009/09/05 04:30:43 | 00,026,944 | ---- | C] (Pure Networks, Inc.) -- C:\WINDOWS\System32\drivers\purendis.sys
[2009/09/05 04:30:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Pure Networks Shared
[2009/09/05 04:29:34 | 00,000,000 | ---D | C] -- C:\Program Files\Pure Networks
[2009/09/05 04:28:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/09/04 12:06:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/04 12:06:16 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/09/04 12:06:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Praha\Application Data\SUPERAntiSpyware.com
[2009/09/04 12:00:26 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/08/24 05:56:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Praha\Application Data\SoundSpectrum
[2009/08/24 05:54:24 | 00,000,000 | ---D | C] -- C:\Program Files\SoundSpectrum
[2009/07/28 23:28:25 | 00,050,127 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/11/22 02:05:53 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2008/08/30 12:47:54 | 00,002,162 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2008/08/18 00:24:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2008/08/17 12:39:05 | 00,000,024 | ---- | C] () -- C:\WINDOWS\LogonStudio.ini
[2008/06/30 22:49:19 | 00,112,128 | RH-- | C] () -- C:\WINDOWS\CdaC14BA.DLL
[2008/06/30 22:49:14 | 00,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2007/07/17 15:19:15 | 00,000,040 | ---- | C] () -- C:\WINDOWS\TITEMP.INI
[2007/05/29 23:37:15 | 00,005,315 | ---- | C] () -- C:\WINDOWS\TLTitleData.ini
[2007/03/28 21:18:36 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2007/03/27 11:45:22 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2007/02/10 02:53:57 | 00,000,085 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2007/02/06 17:45:04 | 00,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/02/06 17:42:40 | 01,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
[2006/12/06 01:53:23 | 00,000,116 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/12/04 18:58:16 | 00,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2006/12/04 18:58:16 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2006/10/21 17:56:01 | 00,000,678 | ---- | C] () -- C:\WINDOWS\tlknw4.ini
[2006/10/21 17:53:07 | 00,000,128 | ---- | C] () -- C:\WINDOWS\wldtlk4.ini
[2006/10/12 19:21:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2006/10/06 22:23:35 | 00,001,633 | ---- | C] () -- C:\WINDOWS\Graffiti4.0.ini
[2006/10/02 23:57:41 | 00,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2006/07/15 04:43:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/13 07:19:24 | 00,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/06/01 22:10:14 | 00,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/12/21 21:04:48 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/30 19:16:05 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/11/30 19:16:05 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/11/30 19:16:05 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/11/30 19:16:05 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/11/29 18:52:15 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/11/29 18:22:08 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/07 13:00:07 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/07 12:27:47 | 00,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/11/05 00:07:42 | 00,000,429 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/05 00:05:40 | 00,000,172 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/11/05 00:03:51 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/11/05 00:03:51 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/11/05 00:03:51 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/11/05 00:03:51 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/11/05 00:03:51 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/11/05 00:03:51 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/11/04 23:31:32 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2005/11/04 23:27:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/11/04 22:59:49 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/11/04 22:59:49 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2005/11/04 22:30:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\CONFIG.SYS
[2005/11/04 22:26:52 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/11/04 20:56:25 | 00,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/04 20:53:31 | 00,001,247 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/11/04 20:53:25 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/24 19:20:28 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/01/07 19:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997/06/13 22:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/09/23 04:34:39 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Praha\Desktop\OTL.exe
[2009/09/23 04:29:55 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/23 04:24:26 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/23 03:47:13 | 03,318,538 | R--- | M] () -- C:\Documents and Settings\Praha\Desktop\Combo-Fix.exe
[2009/09/23 03:38:28 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/09/21 03:04:30 | 04,938,616 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Praha\My Documents\Silverlight.exe
[2009/09/19 05:26:42 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/09/17 23:32:46 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Praha\Desktop\RootRepeal.exe
[2009/09/17 23:21:20 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/17 23:20:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/17 23:20:50 | 46,791,4752 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/17 23:19:14 | 00,019,391 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/09/17 05:23:47 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Praha\Desktop\frwnkqsl.exe
[2009/09/17 05:06:14 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Praha\Local Settings\Application Data\IconCache.db
[2009/09/17 03:47:37 | 00,000,910 | ---- | M] () -- C:\Documents and Settings\Praha\My Documents\My Sharing Folders.lnk
[2009/09/16 03:51:35 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Praha\Desktop\Win32kDiag.exe
[2009/09/16 03:36:12 | 00,000,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/09/16 02:24:37 | 00,397,442 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/16 02:24:37 | 00,060,862 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/16 02:24:36 | 00,464,482 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/16 01:06:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/16 00:47:35 | 00,216,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/16 00:19:10 | 00,057,544 | ---- | M] () -- C:\Documents and Settings\Praha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/13 01:59:12 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/09/13 01:59:12 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/09/13 01:59:11 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/09/13 01:59:11 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/09/13 01:59:11 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/09/13 01:59:11 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/09/12 03:15:41 | 00,000,116 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/09/12 03:04:04 | 00,185,920 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2009/09/12 03:02:45 | 00,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2009/09/12 03:02:45 | 00,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2009/09/12 03:00:02 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2009/09/12 03:00:01 | 00,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll
[2009/09/12 03:00:00 | 00,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/09/11 06:37:12 | 60,857,536 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Praha\My Documents\Ad-AwareAE.exe
[2009/09/11 06:22:17 | 00,001,247 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/10 21:55:33 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/09 17:57:12 | 00,016,360 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\rive.db
[2009/09/09 17:57:10 | 00,014,021 | ---- | M] () -- C:\WINDOWS\ufit.lib
[2009/09/09 17:57:10 | 00,012,577 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\fomep._sy
[2009/09/05 04:31:07 | 00,001,811 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Network Magic.lnk
< End of report >

OTL EXTRAS LOG

OTL Extras logfile created on: 9/23/2009 4:35:13 AM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Praha\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.17 Mb Total Physical Memory | 90.29 Mb Available Physical Memory | 20.24% Memory free
1.38 Gb Paging File | 0.99 Gb Available in Paging File | 71.71% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.65 Gb Total Space | 6.59 Gb Free Space | 11.84% Space Free | Partition Type: NTFS
Drive D: | 76.57 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TORIN
Current User Name: Praha
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\mcafeeantivirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\mcafeefirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"57497:TCP" = 57497:TCP:*:Enabled:Pando P2P TCP Listening Port
"57497:UDP" = 57497:UDP:*:Enabled:Pando P2P UDP Listening Port
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- (America Online, Inc)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- (America Online Inc)
"C:\Program Files\Common Files\AOL\1131163763\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1131163763\EE\AOLServiceHost.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- (America Online Inc.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\1131163763\EE\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1131163763\EE\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1131163763\EE\aim6.exe" = C:\Program Files\Common Files\AOL\1131163763\EE\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1535DCC2-6EB2-4FAC-9ABB-C3DC939BB87A}" = Chicken Hunter
"{205c6bdd-7b73-42de-8505-9a093f35a238}" = Windows Live Upload Tool
"{22b775e7-6c42-4fc5-8e10-9a5e3257bd94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{32A3A4F4-B792-11D6-A78A-00B0D0160140}" = Java™ SE Development Kit 6 Update 14
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{38E225FC-F866-4569-BDC8-04FFDF8BA0A9}" = Expedia Fare Alert 2.1
"{3b4e636e-9d65-4d67-ba61-189800823f52}" = Windows Live Communications Platform
"{3D2B8CFC-0F08-47FA-9B55-929FA5DFBEA7}" = Voyager 4 Demo
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{42C402C3-F95B-4BA2-BC90-99816AAF8159}" = Space Colony
"{4399AC32-3FD8-421C-BE79-9F3A3D9945E0}" = Berlitz Learning System - German
"{45338b07-a236-4270-9a77-ebb4115517b5}" = Windows Live Sign-in Assistant
"{45E547E4-8D06-425E-818F-B167158EBFC5}" = Berlitz Learning System - Japanese
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{4ACAD9F3-6EB9-4340-B659-236D40F800BF}" = 11 Languages of the World
"{4C5D15D2-5351-4F05-A96E-56C20554F977}" = RollerCoaster Tycoon 2 Triple Thrill Pack
"{55C18E7C-6806-489E-9EB8-77F68C0CB7E8}" = Berlitz Before You Know It Flash Cards
"{57f0ed40-8f11-41aa-b926-4a66d0d1a9cc}" = Microsoft Office Live Add-in 1.3
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5D96E2B1-D9AC-46E0-9073-425C5F63E338}" = Touch and Launch
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{7432727C-9EE9-48C6-B2B8-529D55616336}" = Berlitz Learning System - Italian
"{78B50D1D-642C-4B89-BCC7-352EAE3614D7}" = iPod for Windows 2005-02-07
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{7D2370AC-D8E6-4996-986A-19824F8A167C}" = Logitech QuickCam
"{81128ee8-8ead-4db0-85c6-17c2ce50ff71}" = Windows Live Essentials
"{852DBAD9-ECAC-48FD-99D8-775CF9BFD42C}" = Moorfrosch XXL
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{8C4504A1-9280-11D5-9F7E-00902712427E}" = Sid Meier's SimGolf
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1
"{92B94569-6683-4617-8C54-EB27A1B51B30}" = GTAIII
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{95120000-00b9-0409-0000-0000000ff1ce}" = Microsoft Application Error Reporting
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{a1f66fc9-11ee-4f2f-98c9-16f8d1e69fb7}" = Segoe UI
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{a85fd55b-891b-4314-97a5-ea96c0bd80b5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B975F4A1-63B6-11D4-BFEC-005004AF2D32}" = Monopoly Tycoon
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150
"{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}" = iTunes
"{D5773BFA-5967-4A1C-AD0F-FFFD0D13FC36}" = Network Magic
"{D91B4FCE-8E9C-47EF-9AF6-C1B52B336A69}" = Berlitz Learning System - Italian
"{ded53b0b-b67c-4244-ae6a-d6fd3c28d1ef}" = Ad-Aware
"{E78C2B49-D906-462A-8E3D-D51670F91DDF}" = Country Varmint Hunter
"{EA516024-D84D-41F1-814F-83175A6188F2}" = Logitech Video Enumerator
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EF980981-E9E9-4248-8F35-C0C4007FDE55}" = Berlitz Learning System - German
"{f0e12bba-ad66-4022-a453-a1c8a0c4d570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{f333a33d-125c-32a2-8dce-5c5d14231e27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{f333a33d-125c-32a2-8dce-5c5d14231e27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{f6bd194c-4190-4d73-b1b1-c48c99921bfe}" = Windows Live Call
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{FCC07EEA-FA18-4A21-9105-9666603C6885}" = McAfee Virtual Technician
"3DGroove" = OTOY
"63EE44B183E6F9261BBEDC6E0DD479A3ED939932" = Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (03/23/2007 4.1.7082.0)
"ad-aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Video FX Utility" = Advanced Video FX Utility
"AIM_6" = AIM 6
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"AutumnMahjongg_is1" = AutumnMahjongg
"AVGantiRootkit" = AVG Anti-Rootkit Free
"BEFD16F14D4EBCB5CDB94F8C748ECA76860D7D88" = Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (03/23/2007 4.1.7082.0)
"Bejeweled 2 Deluxe 1.1" = Bejeweled 2 Deluxe 1.1
"CdaC13Ba" = Cda Product Service - shared component
"Cheetah Mahjongg_is1" = Cheetah Mahjongg
"CityMahjongg_is1" = CityMahjongg
"Colosseum Mahjongg" = Colosseum Mahjongg (remove only)
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Creative Photo Manager" = Creative Photo Manager
"Creative WebCam Center" = Creative WebCam Center
"Destination Mahjongg_is1" = Destination Mahjongg
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"EphPod" = EphPod
"Gadget Mahjongg_is1" = Gadget Mahjongg
"Geometric Mahjongg_is1" = Geometric Mahjongg
"G-Force" = G-Force
"Hammurabi Mahjongg" = Hammurabi Mahjongg (remove only)
"HijackThis" = HijackThis 1.99.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Imhotep Mahjongg" = Imhotep Mahjongg (remove only)
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{78B50D1D-642C-4B89-BCC7-352EAE3614D7}" = iPod for Windows 2005-02-07
"InterActual Player" = InterActual Player
"Kids Mahjongg 1.0" = Kids Mahjongg
"LimeWire" = LimeWire 4.16.6
"Mahjongg 1.0" = Mahjongg
"Mahjongg Deluxe 1.0" = Mahjongg Deluxe
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"MD-Mahjongg" = MD-Mahjongg
"Medieval Mahjongg_is1" = Medieval Mahjongg
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MountainMahjongg_is1" = MountainMahjongg
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MysticMahjongg_is1" = MysticMahjongg
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Packet Tracer 3.2_is1" = Packet Tracer 3.2
"Packet Tracer 4.01_is1" = Packet Tracer 4.01
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Poker Drop" = Poker Drop 1.0
"Power Saver" = TOSHIBA Power Saver
"Prison Tycoon" = Prison Tycoon
"QcDrv" = Logitech® Camera Driver
"realplayer 12.0" = RealPlayer
"SereneScreen Marine Aquarium" = SereneScreen Marine Aquarium
"Shamanic Mahjongg_is1" = Shamanic Mahjongg
"StumbleUponIEToolbar" = StumbleUpon IE Toolbar
"Texas Hold'em 3D XP Championship" = Texas Hold'em 3D XP Championship
"Tonatiuh Mahjongg" = Tonatiuh Mahjongg (remove only)
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Water Mahjongg_is1" = Water Mahjongg
"WebCam Instant Product Registration" = WebCam Instant Product Registration
"wic" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"winlivesuite_wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Toolbar" = Yahoo! Toolbar
"Zoo Tycoon 1.0" = Microsoft Zoo Tycoon

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2070348330-2584055491-1958564374-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Sun Download Manager 2.0 (web)" = Sun Download Manager 2.0 (web)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/17/2009 3:05:05 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 3:14:43 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 3:17:49 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 3:19:01 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 3:21:25 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 3:32:46 AM | Computer Name = TORIN | Source = MsiInstaller | ID = 1013
Description = Product: Windows Live Messenger -- Your computer has a newer version
of Windows Live Messenger than the one you are trying to install. To install an
older version, first remove the current version (click Start, Settings, Control
Panel, Add or Remove, Windows Live Messenger), and then run this Set Up again.

Error - 9/17/2009 3:48:57 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application wlcomm.exe, version 14.0.8064.206, faulting module
fd64d312.x86.dll, version 0.0.0.0, fault address 0x00005874.

Error - 9/17/2009 10:42:25 AM | Computer Name = TORIN | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: System.EnterpriseServices, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a . Error code = 0x80070003

Error - 9/22/2009 3:24:19 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application msmsgs.exe, version 4.7.0.3001, faulting module
msmsgs.exe, version 4.7.0.3001, fault address 0x000918f5.

Error - 9/22/2009 4:55:42 AM | Computer Name = TORIN | Source = Application Error | ID = 1000
Description = Faulting application msmsgs.exe, version 4.7.0.3001, faulting module
msmsgs.exe, version 4.7.0.3001, fault address 0x000918f5.

[ System Events ]
Error - 9/22/2009 3:23:57 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7000
Description = The Background Intelligent Transfer Service service failed to start
due to the following error: %%2

Error - 9/22/2009 5:26:31 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 9/22/2009 6:55:57 PM | Computer Name = TORIN | Source = DCOM | ID = 10005
Description = DCOM got error "%2" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 9/22/2009 6:55:59 PM | Computer Name = TORIN | Source = Service Control Manager | ID = 7000
Description = The Automatic Updates service failed to start due to the following
error: %%2

Error - 9/23/2009 3:49:09 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7034
Description = The C-DillaCdaC11BA service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/23/2009 3:49:09 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/23/2009 3:49:54 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/23/2009 4:01:13 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/23/2009 4:14:06 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/23/2009 4:24:07 AM | Computer Name = TORIN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.


< End of report >


Malware will be posted on next log.

#14 Torin

Torin
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 23 September 2009 - 05:25 AM

MALWARE LOG

Malwarebytes' Anti-Malware 1.41
Database version: 2848
Windows 5.1.2600 Service Pack 2

9/23/2009 6:23:51 AM
mbam-log-2009-09-23 (06-23-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 240985
Time elapsed: 1 hour(s), 34 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avgantirootkit (Backdoor.PcClient) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe (Backdoor.PcClient) -> No action taken.
C:\Qoobox\Quarantine\C\fjmpqp.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\Quarantine\C\wpfpqa.exe.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ae94c7c5.sys.vir (Rootkit.Rustock) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP752\A0292008.exe (Trojan.Banker) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP752\A0292025.dll (Trojan.Sirefef) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP752\A0292027.exe (Trojan.Banker) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP752\A0292147.cpl (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP752\A0292160.sys (Rootkit.Rustock) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP754\A0292482.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{CF8A54B3-00DE-4AA7-AEA8-9EB54C29EA21}\RP754\A0292484.exe (Trojan.Downloader) -> No action taken.

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:52 AM

Posted 23 September 2009 - 06:28 AM

Hi,

I am creating a fix for you and post them ASAP. :(


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users