Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown virus...


  • This topic is locked This topic is locked
64 replies to this topic

#1 lenny.coffee

lenny.coffee

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 29 September 2009 - 01:54 AM

My local disk D was suddenly formatted, and when I try to format it, it says ; The disk in drive D cannot be formatted.
Also, the data in New volume E is no longer accessable, although it aknowledges I have used 10gbs in that drive (free space: 19.31 gbs/30.1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:14 PM, on 29/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\asd\loadqm.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\myibay\myibay.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ats] C:\WINDOWS\system32\asd\loadqm.exe noshow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [GrooveMonitor] "G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8089 bytes

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 16 October 2009 - 04:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 23 October 2009 - 04:08 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 23 October 2009 - 10:27 PM

I have downloaded DDS.scr to my desktop and clicked it. The box opens up telling to wait, but then after a while it disappears and no notepad file comes up. I had disabled AVG resident shield and my windows firewall.
Another thing: My computer does not shut down when I press 'shutdown', instead it reboots.

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 23 October 2009 - 10:29 PM

**Re-opened per OP request**

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Please let me know exactly what problems you are currently experiencing

==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Description of current problems
* OTL.txt
* OTL Extra.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 23 October 2009 - 10:41 PM

Description of current problems:

My local disk D was suddenly formatted, and when I try to format it, it says ; The disk in drive D cannot be formatted.

The data in New volume E is no longer accessable, although it aknowledges I have used 10gbs in that drive (free space: 19.31 gbs/30.1)

My computer does not shut down when I press 'shutdown', instead it reboots.

GOing to system properties > startup and recovery > settings gives me a
'The C:\boot.ini can not be opened. Operating system and Timeout settings cannot be changed.

Firefox sometimes tells me it has to close down.

OTL:

OTL logfile created on: 24/10/2009 2:32:29 PM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Leonard\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.28 Gb Total Space | 10.39 Gb Free Space | 35.48% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
Drive E: | 30.20 Gb Total Space | 19.29 Gb Free Space | 63.88% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 465.76 Gb Total Space | 139.43 Gb Free Space | 29.94% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LENNY
Current User Name: Leonard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/24 14:31:56 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Leonard\Desktop\OTL.exe
PRC - [2009/10/24 14:14:42 | 01,053,976 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/24 14:14:42 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/24 14:14:42 | 00,597,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/10/24 14:14:42 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/10/24 14:14:40 | 02,007,320 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/10/24 14:14:40 | 00,826,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2009/10/24 14:14:40 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/13 23:53:02 | 00,289,072 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/09/21 16:36:12 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/21 16:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/10 22:04:20 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/18 16:08:24 | 04,544,078 | ---- | M] (Driver-Soft Inc.) -- C:\Program Files\Driver-Soft\DriverGenius\DriverGenius.exe
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/20 15:48:54 | 02,815,408 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IDMan.exe
PRC - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/18 11:15:40 | 00,156,672 | ---- | M] () -- C:\Program Files\myibay\myibay.exe
PRC - [2009/02/26 07:27:42 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2008/12/18 14:32:52 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2008/12/18 13:19:44 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/02/18 23:01:02 | 00,251,312 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IEMonitor.exe
PRC - [2007/09/06 23:08:04 | 00,136,136 | ---- | M] (DT Soft Ltd.) -- C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
PRC - [2007/07/06 07:08:00 | 16,380,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007/05/29 02:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2006/10/27 00:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2006/03/21 13:19:40 | 00,069,632 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
PRC - [2005/08/26 19:35:42 | 00,659,456 | ---- | M] () -- C:\WINDOWS\System32\asd\loadqm.exe
PRC - [2005/07/16 07:48:34 | 00,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
PRC - [2004/08/03 14:56:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/09/29 22:17:16 | 00,175,616 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/10/24 14:14:40 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd [Auto | Running])
SRV - [2009/09/21 16:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/09 12:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/02/26 07:27:42 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2009/02/25 15:15:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/05/29 02:57:54 | 00,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE [Auto | Running])
SRV - [2006/10/27 00:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/08/04 00:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/10/24 14:14:48 | 00,161,672 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86 [Boot | Running])
DRV - [2009/10/24 14:14:46 | 00,356,616 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2009/10/24 14:14:44 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/10/24 14:14:44 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/09/04 17:59:18 | 00,721,904 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2009/09/02 22:09:24 | 00,025,280 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\DRIVERS\hamachi.sys -- (hamachi [On_Demand | Stopped])
DRV - [2009/08/28 19:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/04/01 11:23:18 | 00,170,496 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\atinavt2.sys -- (ATIAVAIW [On_Demand | Running])
DRV - [2009/02/26 08:58:58 | 03,565,568 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2007/07/11 00:56:00 | 04,449,280 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2007/06/20 02:47:58 | 00,255,896 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Running])
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/08/03 23:10:14 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2004/07/17 01:36:38 | 00,027,440 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2003/09/30 06:33:00 | 00,022,912 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\Drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
DRV - [2003/09/16 02:57:36 | 00,009,728 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
DRV - [2003/03/29 01:25:52 | 00,003,840 | ---- | M] (Elaborate Bytes) -- C:\WINDOWS\System32\Drivers\ElbyDelay.sys -- (ElbyDelay [On_Demand | Running])
DRV - [2001/08/23 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])

========== Modules (SafeList) ==========

MOD - [2009/10/24 14:31:56 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Leonard\Desktop\OTL.exe
MOD - [2009/03/27 01:35:40 | 00,034,224 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\idmmkb.dll
MOD - [2005/12/19 19:16:10 | 00,135,168 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
MOD - [2004/08/03 14:57:02 | 01,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15187&l=dis
IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\..\URLSearchHook: {b592e943-0cb6-482c-849e-a2311298cdfd} - C:\Program Files\Softonic-Eng3\tbSoft.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\S-1-5-21-583907252-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-583907252-484763869-839522115-1003\S-1-5-21-583907252-484763869-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/ig?hl=en&source=iglk"
FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170633FE}:0.4.5.14
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.4
FF - prefs.js..extensions.enabledItems: {6D898772-AD34-4c16-86BB-9DE787A5DEA0}:1.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {0AA9101C-D3C1-4129-A9B7-D778C6A17F82}:1.06
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/30 01:43:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/30 18:14:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/10/24 11:00:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/30 17:57:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/30 17:57:48 | 00,000,000 | ---D | M]

[2009/08/30 17:59:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Extensions
[2009/08/30 17:59:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/30 17:59:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Firefox\Profiles\qjex6qtl.default\extensions
[2009/08/30 18:02:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Firefox\Profiles\qjex6qtl.default\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
[2009/08/30 18:05:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Firefox\Profiles\qjex6qtl.default\extensions\{6D898772-AD34-4c16-86BB-9DE787A5DEA0}
[2009/09/03 22:12:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Firefox\Profiles\qjex6qtl.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
[2009/08/30 18:05:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\mozilla\Firefox\Profiles\qjex6qtl.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/12 10:24:34 | 00,002,255 | ---- | M] () -- C:\Documents and Settings\Leonard\Application Data\Mozilla\FireFox\Profiles\qjex6qtl.default\searchplugins\askcom.xml
[2009/08/30 17:57:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/30 17:57:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/30 18:14:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/08/30 20:31:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/10 22:04:20 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/10 22:04:20 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/25 05:23:02 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/11 05:56:44 | 00,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2008/09/11 05:37:54 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/09/10 22:04:20 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/10/04 14:55:00 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/16 04:10:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/16 04:10:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/16 04:10:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/16 04:10:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/16 04:10:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/16 04:10:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/16 04:10:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Softonic-Eng3 Toolbar) - {b592e943-0cb6-482c-849e-a2311298cdfd} - C:\Program Files\Softonic-Eng3\tbSoft.dll (Conduit Ltd.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Softonic-Eng3 Toolbar) - {b592e943-0cb6-482c-849e-a2311298cdfd} - C:\Program Files\Softonic-Eng3\tbSoft.dll (Conduit Ltd.)
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] G:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - HKLM..\Run: [ats] C:\WINDOWS\System32\asd\loadqm.exe ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CloneDVDElbyDelay] C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [ElbyCheckAnyDVD] C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe (Elaborate Bytes AG)
O4 - HKLM..\Run: [GrooveMonitor] G:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe File not found
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ScanSoft OmniPage SE 4.0-reminder] C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [DAEMON Tools Pro Agent] C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd.)
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\program files\common files\nero\lib\nmindexstoresvr.exe File not found
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-583907252-484763869-839522115-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\Leonard\Start Menu\Programs\Startup\myibay eBay bid sniper.lnk = C:\Program Files\myibay\myibay.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - G:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - G:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-583907252-484763869-839522115-1003\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - G:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - G:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/27 19:21:44 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2009/07/12 06:41:13 | 00,000,000 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/p) - File not found
O34 - HKLM BootExecute: (\??\E:) - File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/10/04 14:55:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/10/24 11:00:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009/09/24 22:56:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
[2009/09/29 22:03:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
[2009/09/24 22:56:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft
[2009/09/24 23:06:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\Canon
[2009/09/25 13:48:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\Nero
[2009/10/24 10:18:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\Passware
[2009/10/12 21:18:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\Red Kawa
[2009/09/24 22:56:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\ScanSoft
[2009/10/12 23:11:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\SunODFPluginforMicrosoftOffice
[2009/10/12 01:50:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Application Data\vlc
[2009/09/29 22:04:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Local Settings\Application Data\Ahead
[2009/09/27 00:59:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Local Settings\Application Data\Apple_Inc
[2009/10/12 21:03:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Local Settings\Application Data\Geckofx
[2009/10/12 01:25:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Local Settings\Application Data\Softonic-Eng3
[2009/10/08 22:01:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2009/09/27 00:57:23 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2009/09/25 13:47:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2009/09/24 22:57:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PDFView
[2009/09/24 22:56:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ScanSoft Shared
[2009/10/12 01:05:41 | 00,000,000 | ---D | C] -- C:\Program Files\AC3Filter
[2009/10/24 11:00:11 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/09/24 22:55:49 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/10/24 11:12:38 | 00,000,000 | ---D | C] -- C:\Program Files\Driver-Soft
[2009/09/25 11:14:24 | 00,000,000 | ---D | C] -- C:\Program Files\Elaborate Bytes
[2009/10/12 20:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\eRightSoft
[2009/10/16 21:57:59 | 00,000,000 | ---D | C] -- C:\Program Files\gBurner
[2009/09/27 00:48:18 | 00,000,000 | ---D | C] -- C:\Program Files\iPhone Configuration Utility
[2009/10/04 14:55:26 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/10/04 14:55:25 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/09/27 00:57:23 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2009/09/27 00:55:52 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2009/09/27 00:57:42 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2009/09/27 00:57:03 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2009/09/25 13:47:40 | 00,000,000 | ---D | C] -- C:\Program Files\Nero
[2009/09/24 22:57:11 | 00,000,000 | ---D | C] -- C:\Program Files\NewSoft
[2009/10/04 14:54:51 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/10/12 21:03:07 | 00,000,000 | ---D | C] -- C:\Program Files\Red Kawa
[2009/09/25 17:10:55 | 00,000,000 | ---D | C] -- C:\Program Files\SatSignal Software
[2009/09/24 22:56:22 | 00,000,000 | ---D | C] -- C:\Program Files\ScanSoft
[2009/09/25 11:12:54 | 00,000,000 | ---D | C] -- C:\Program Files\SlySoft
[2009/10/12 01:25:03 | 00,000,000 | ---D | C] -- C:\Program Files\Softonic-Eng3
[2009/09/29 16:50:08 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/24 14:31:47 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Leonard\Desktop\OTL.exe
[2009/10/24 14:14:46 | 00,161,672 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/10/24 14:14:46 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/24 14:14:45 | 00,356,616 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/10/24 14:14:42 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/24 14:14:42 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/24 14:14:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/10/24 12:01:28 | 00,053,248 | ---- | C] (Windows XP Bundled build C-Centric Single User) -- C:\WINDOWS\System32\CSVer.dll
[2009/10/24 11:19:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\My Documents\DriverGenius
[2009/10/24 10:14:50 | 24,281,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/10/21 15:30:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\My Documents\New Folder
[2009/10/16 22:08:07 | 00,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2009/10/12 21:18:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\My Documents\Red Kawa
[2009/10/12 20:44:31 | 00,070,656 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\i420vfw.dll
[2009/10/12 01:49:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\My Documents\The KMPlayer
[2009/10/10 13:47:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/10/09 21:39:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Desktop\ULUS10437GameData00 [LITE]
[2009/10/09 21:39:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Leonard\Desktop\__MACOSX
[2009/10/09 15:57:00 | 02,744,320 | ---- | C] (UFox) -- C:\Documents and Settings\Leonard\Desktop\PSPContentManager.exe
[2009/10/09 13:24:52 | 01,279,488 | ---- | C] (UMDGEN.COM) -- C:\Documents and Settings\Leonard\Desktop\UMDGen.exe
[2009/10/08 22:01:18 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MPE.sys
[2009/10/08 22:01:18 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mpe.sys
[2009/10/08 22:01:16 | 00,010,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\NdisIP.sys
[2009/10/08 22:01:16 | 00,010,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndisip.sys
[2009/10/08 22:01:15 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipsink.ax
[2009/10/08 22:01:15 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ipsink.ax
[2009/10/08 22:01:15 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\StreamIP.sys
[2009/10/08 22:01:15 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\streamip.sys
[2009/10/08 22:01:13 | 00,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSTEE.sys
[2009/10/08 22:01:13 | 00,005,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstee.sys
[2009/10/08 22:01:12 | 00,011,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\SLIP.sys
[2009/10/08 22:01:12 | 00,011,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\slip.sys
[2009/10/08 22:01:11 | 00,019,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\WSTCODEC.SYS
[2009/10/08 22:01:11 | 00,019,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wstcodec.sys
[2009/10/08 22:01:09 | 00,085,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\NABTSFEC.sys
[2009/10/08 22:01:09 | 00,085,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nabtsfec.sys
[2009/10/08 22:01:07 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\CCDECODE.sys
[2009/10/08 22:01:07 | 00,017,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ccdecode.sys
[2009/10/08 22:01:04 | 00,090,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kswdmcap.ax
[2009/10/08 22:01:04 | 00,090,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kswdmcap.ax
[2009/10/08 22:01:04 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kstvtune.ax
[2009/10/08 22:01:04 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kstvtune.ax
[2009/10/08 22:01:04 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
[2009/10/08 22:01:04 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vidcap.ax
[2009/10/08 22:01:03 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
[2009/10/08 22:01:03 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
[2009/10/08 22:01:03 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\BdaSup.sys
[2009/10/08 22:01:03 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdasup.sys
[2009/10/08 22:01:01 | 00,170,496 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinavt2.sys
[2009/10/08 22:01:01 | 00,106,496 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\atinppt2.ax
[2009/10/01 20:50:04 | 05,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2009/10/01 20:50:04 | 01,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2009/10/01 20:50:04 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2009/10/01 20:50:04 | 00,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2009/10/01 20:50:04 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2009/10/01 20:50:04 | 00,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2009/10/01 20:50:04 | 00,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2009/09/29 21:49:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\RegisteredPackages
[2009/09/28 20:40:09 | 00,737,280 | ---- | C] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2009/09/28 20:40:09 | 00,000,000 | ---D | C] -- C:\iPhone Backup Switch
[2009/09/27 00:58:30 | 00,032,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msonpmon.dll
[2009/09/27 00:55:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2009/09/25 17:30:51 | 02,023,424 | ---- | C] (Inprise Corporation) -- C:\WINDOWS\System32\vcl50.bpl
[2009/09/24 23:03:20 | 00,131,072 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNCLSD23.DLL
[2009/09/24 23:03:20 | 00,110,592 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNCLST23.DLL
[2009/09/24 23:03:20 | 00,110,592 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNCLSI23.DLL
[2009/09/24 23:03:20 | 00,098,304 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNCLSU23.DLL
[2009/09/24 23:03:20 | 00,077,824 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNCLSC23.DLL
[2009/09/24 23:03:19 | 00,073,728 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNCL4100.DLL
[2009/09/24 23:03:19 | 00,069,632 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNCI4100.DLL
[2009/09/24 23:03:19 | 00,049,152 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\cncilsc.dll
[2009/09/24 23:03:18 | 00,200,704 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNCC4100.DLL
[2009/09/24 22:57:47 | 02,428,928 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippia611.dll
[2009/09/24 22:57:47 | 01,359,872 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippsa611.dll
[2009/09/24 22:57:47 | 00,462,848 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippcva611.dll
[2009/09/24 22:57:47 | 00,184,320 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippsra611.dll
[2009/09/24 22:57:47 | 00,151,552 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippja611.dll
[2009/09/24 22:57:46 | 00,225,280 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippi11.dll
[2009/09/24 22:57:46 | 00,176,128 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ipps11.dll
[2009/09/24 22:57:46 | 00,094,208 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippcv11.dll
[2009/09/24 22:57:46 | 00,077,824 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippsr11.dll
[2009/09/24 22:57:46 | 00,065,536 | ---- | C] (Intel Corporation.) -- C:\WINDOWS\System32\ippj11.dll
[2009/09/24 22:57:44 | 00,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUninst.exe
[2009/09/24 22:57:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\color
[2009/09/24 22:55:11 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\CanonMF Uninstaller Information
[2009/09/24 22:54:54 | 00,000,000 | -H-D | C] -- C:\CanonMF

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/10/24 14:31:56 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Leonard\Desktop\OTL.exe
[2009/10/24 14:19:18 | 43,648,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/24 14:19:08 | 00,049,420 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/24 14:15:34 | 00,002,331 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Flash Card Manager.lnk
[2009/10/24 14:14:48 | 00,161,672 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2009/10/24 14:14:48 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/10/24 14:14:48 | 00,001,411 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AVG 9.0.lnk
[2009/10/24 14:14:46 | 00,356,616 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/10/24 14:14:44 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/10/24 14:14:44 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/10/24 14:14:44 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/10/24 14:14:42 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/24 14:14:42 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/10/24 14:13:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/24 14:12:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/24 14:07:42 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/24 11:21:40 | 00,000,764 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Shortcut to DriverGenius.exe.lnk
[2009/10/24 10:46:42 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2009/10/24 10:46:32 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/10/24 10:21:42 | 00,001,104 | ---- | M] () -- C:\WINDOWS\AZPR3.INI
[2009/10/24 10:21:30 | 00,000,115 | ---- | M] () -- C:\WINDOWS\AIMPR.INI
[2009/10/24 10:04:46 | 00,122,880 | ---- | M] () -- C:\Documents and Settings\Leonard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/22 20:46:24 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/22 10:49:32 | 00,002,201 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\152.gif
[2009/10/17 17:17:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/16 22:07:54 | 00,000,287 | ---- | M] () -- C:\WINDOWS\game.ini
[2009/10/16 22:04:38 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/10/16 21:58:06 | 00,000,570 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\gBurner.lnk
[2009/10/14 01:01:18 | 00,017,702 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Conflicting perspectives.docx
[2009/10/13 23:26:02 | 00,000,393 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Play Count Editor.js
[2009/10/12 23:27:06 | 00,044,670 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\4 - Conflicting Perspectives Essay.odt
[2009/10/12 23:27:04 | 00,017,894 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\2 - Donne And Wit.docx
[2009/10/12 23:26:58 | 00,028,672 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\3 - Speeches Essay.doc
[2009/10/12 21:03:08 | 00,001,735 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\PSP Video 9.lnk
[2009/10/12 11:43:54 | 00,163,840 | ---- | M] () -- C:\Documents and Settings\Leonard\Application Data\file1.exe
[2009/10/12 01:50:06 | 00,000,623 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\VLC media player.lnk
[2009/10/12 01:34:56 | 14,914,820 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\The_KMPlayer_1435.exe
[2009/10/11 13:57:26 | 00,108,167 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\1245303420515316.jpg
[2009/10/10 15:19:24 | 04,978,034 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\CWCHEAT_0_2_2_REVD_2.RAR
[2009/10/09 22:55:24 | 04,978,034 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\CWCHEAT_0_2_2_REVD.RAR
[2009/10/08 21:51:32 | 00,001,186 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\'Folding@Home'.lnk
[2009/10/07 15:54:10 | 00,343,371 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\hjsplit_24[1].zip
[2009/10/06 03:55:18 | 52,620,4292 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Ayaka X Kobukuro - Anata to [Music Station 100308].ts
[2009/10/05 20:59:48 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\TOKYO DOGS 19 OCT
[2009/10/05 20:59:34 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Ohitorisama 16 OCT
[2009/10/05 17:39:06 | 00,059,936 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\HAHA HENSON.jpg
[2009/10/04 14:54:58 | 00,001,508 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\QuickTime Player.lnk
[2009/10/02 22:43:20 | 00,169,984 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Shinjuku Apartment-1.doc
[2009/09/30 18:33:18 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Irremote.ini
[2009/09/30 00:37:50 | 00,016,363 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\arguments of me and kieran LOL.docx
[2009/09/28 20:40:12 | 00,001,363 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Backup Switch.lnk
[2009/09/28 20:40:08 | 00,737,280 | ---- | M] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2009/09/27 18:36:52 | 00,271,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/27 07:19:38 | 00,075,032 | ---- | M] () -- C:\Documents and Settings\Leonard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/27 01:02:08 | 00,510,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/27 01:02:08 | 00,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/27 01:02:08 | 00,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/27 00:55:36 | 00,000,552 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/25 21:50:34 | 00,071,304 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\6831_168312080782_724610782_4106965_4635589_n.jpg
[2009/09/25 19:21:42 | 00,037,115 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\7116_1236783443786_1355231664_30659540_6566590_n.jpg
[2009/09/25 17:27:48 | 00,042,607 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\IMG_2496.JPG
[2009/09/25 17:01:30 | 00,006,373 | ---- | M] () -- C:\Documents and Settings\Leonard\Desktop\Document.rtf
[2009/09/25 11:14:28 | 00,000,744 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CloneDVD.lnk
[2009/09/25 11:12:56 | 00,000,658 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AnyDVD.lnk
[2009/09/24 22:57:56 | 00,000,673 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\MF4100 Series Advanced Guide (UK).lnk
[2009/09/24 22:57:56 | 00,000,666 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\MF4100 Series Scanner Driver Guide (UK).lnk
[2009/09/24 22:57:50 | 00,001,714 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Presto! PageManager 7.15.lnk
[2009/09/24 22:57:48 | 00,151,566 | ---- | M] () -- C:\WINDOWS\System32\UninstIPP.isu
[2009/09/24 22:56:48 | 00,000,419 | ---- | M] () -- C:\WINDOWS\MAXLINK.INI
[2009/09/24 22:55:52 | 00,001,733 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Canon MF Toolbox 4.9.lnk

========== Files - No Company Name ==========
[2009/10/24 14:14:46 | 00,001,411 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AVG 9.0.lnk
[2009/10/24 14:14:42 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/10/24 14:14:41 | 43,648,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/24 14:14:41 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/10/24 14:14:41 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/10/24 14:14:41 | 00,049,420 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/24 11:13:15 | 00,000,764 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Shortcut to DriverGenius.exe.lnk
[2009/10/24 10:21:39 | 00,001,104 | ---- | C] () -- C:\WINDOWS\AZPR3.INI
[2009/10/24 10:21:29 | 00,000,115 | ---- | C] () -- C:\WINDOWS\AIMPR.INI
[2009/10/22 10:49:30 | 00,002,201 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\152.gif
[2009/10/16 22:07:53 | 00,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/10/16 22:04:37 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/10/16 21:58:04 | 00,000,570 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\gBurner.lnk
[2009/10/14 01:01:17 | 00,017,702 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Conflicting perspectives.docx
[2009/10/12 23:27:30 | 00,044,670 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\4 - Conflicting Perspectives Essay.odt
[2009/10/12 23:27:30 | 00,017,894 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\2 - Donne And Wit.docx
[2009/10/12 23:26:48 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\3 - Speeches Essay.doc
[2009/10/12 21:03:07 | 00,001,735 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\PSP Video 9.lnk
[2009/10/12 20:44:31 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/10/12 11:42:58 | 00,163,840 | ---- | C] () -- C:\Documents and Settings\Leonard\Application Data\file1.exe
[2009/10/12 01:22:32 | 14,914,820 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\The_KMPlayer_1435.exe
[2009/10/11 13:57:23 | 00,108,167 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\1245303420515316.jpg
[2009/10/10 15:18:46 | 04,978,034 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\CWCHEAT_0_2_2_REVD_2.RAR
[2009/10/09 22:54:47 | 04,978,034 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\CWCHEAT_0_2_2_REVD.RAR
[2009/10/08 22:01:04 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/10/08 22:01:04 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisdecd.dll
[2009/10/08 22:01:03 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\MSDvbNP.ax
[2009/10/08 22:01:03 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdvbnp.ax
[2009/10/08 22:01:01 | 00,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc01.cod
[2009/10/07 15:54:01 | 00,343,371 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\hjsplit_24[1].zip
[2009/10/06 09:44:29 | 52,620,4292 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Ayaka X Kobukuro - Anata to [Music Station 100308].ts
[2009/10/05 20:59:33 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\TOKYO DOGS 19 OCT
[2009/10/05 20:59:33 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Ohitorisama 16 OCT
[2009/10/05 17:39:05 | 00,059,936 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\HAHA HENSON.jpg
[2009/10/04 14:55:42 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2009/10/04 14:54:56 | 00,001,508 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\QuickTime Player.lnk
[2009/10/02 22:43:18 | 00,169,984 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Shinjuku Apartment-1.doc
[2009/09/30 18:33:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/09/30 00:37:49 | 00,016,363 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\arguments of me and kieran LOL.docx
[2009/09/28 20:40:10 | 00,001,363 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Backup Switch.lnk
[2009/09/25 21:50:33 | 00,071,304 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\6831_168312080782_724610782_4106965_4635589_n.jpg
[2009/09/25 19:21:41 | 00,037,115 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\7116_1236783443786_1355231664_30659540_6566590_n.jpg
[2009/09/25 17:30:51 | 00,594,944 | ---- | C] () -- C:\WINDOWS\System32\iplPX.dll
[2009/09/25 17:30:51 | 00,220,160 | ---- | C] () -- C:\WINDOWS\System32\lpng-px.dll
[2009/09/25 17:30:51 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2009/09/25 17:30:51 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ipl.dll
[2009/09/25 17:27:47 | 00,042,607 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\IMG_2496.JPG
[2009/09/25 17:01:29 | 00,006,373 | ---- | C] () -- C:\Documents and Settings\Leonard\Desktop\Document.rtf
[2009/09/25 14:34:48 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/25 11:14:26 | 00,000,744 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CloneDVD.lnk
[2009/09/25 11:12:55 | 00,000,658 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AnyDVD.lnk
[2009/09/24 23:03:20 | 00,000,332 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP23.INI
[2009/09/24 22:57:55 | 00,000,666 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\MF4100 Series Scanner Driver Guide (UK).lnk
[2009/09/24 22:57:54 | 00,000,673 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\MF4100 Series Advanced Guide (UK).lnk
[2009/09/24 22:57:50 | 00,001,714 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Presto! PageManager 7.15.lnk
[2009/09/24 22:57:46 | 00,151,566 | ---- | C] () -- C:\WINDOWS\System32\UninstIPP.isu
[2009/09/24 22:57:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2009/09/24 22:57:40 | 00,009,606 | ---- | C] () -- C:\WINDOWS\System32\NEWSOFT
[2009/09/24 22:57:40 | 00,000,006 | ---- | C] () -- C:\WINDOWS\System\NsTemp.INI
[2009/09/24 22:57:34 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2009/09/24 22:56:46 | 00,000,419 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/09/24 22:55:51 | 00,001,733 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Canon MF Toolbox 4.9.lnk
[2009/09/05 19:02:22 | 00,000,014 | ---- | C] () -- C:\WINDOWS\System32\288261769.dll
[2009/09/01 20:23:45 | 00,593,440 | ---- | C] () -- C:\Documents and Settings\Leonard\Application Data\8d51356f4bb435f1b6f84a242a76b34c-i686.cache-2
[2009/08/31 00:18:00 | 00,000,004 | ---- | C] () -- C:\WINDOWS\System32\microday08.dll
[2009/08/31 00:17:58 | 00,000,070 | ---- | C] () -- C:\WINDOWS\System32\mypath0079.dll
[2009/08/31 00:17:58 | 00,000,034 | ---- | C] () -- C:\WINDOWS\System32\MTX0CI.dll
[2009/08/30 18:15:13 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/08/30 18:14:53 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/30 18:14:53 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/08/30 18:14:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/08/30 18:14:52 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/30 18:14:52 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/08/30 18:14:50 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/30 18:14:50 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/27 21:23:03 | 04,818,770 | -H-- | C] () -- C:\Documents and Settings\Leonard\Local Settings\Application Data\IconCache.db
[2009/08/27 20:04:19 | 00,075,032 | ---- | C] () -- C:\Documents and Settings\Leonard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/27 20:03:53 | 00,122,880 | ---- | C] () -- C:\Documents and Settings\Leonard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/27 20:03:28 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Leonard\Application Data\desktop.ini
[2009/08/27 19:12:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
[2009/07/14 17:15:00 | 00,178,432 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2004/08/03 14:56:44 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/07/17 01:36:38 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2001/08/23 12:00:00 | 00,000,552 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 12:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== LOP Check ==========

[2009/08/27 19:12:08 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Default User.WINDOWS\Application Data
[2009/08/27 19:12:08 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data
[2009/10/04 14:55:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/30 17:58:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/30 02:21:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ATI
[2009/10/24 11:00:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009/08/30 19:29:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\DAEMON Tools Pro
[2009/08/31 20:10:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
[2009/09/16 17:20:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PicShrink
[2009/09/24 22:56:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft
[2009/08/30 18:12:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/08/30 19:13:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ubisoft
[2009/08/27 19:25:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data
[2009/08/27 20:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data
[2009/08/27 19:12:08 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Leonard\Application Data
[2009/09/06 23:58:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\.myibay
[2009/08/30 02:21:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\ATI
[2009/09/03 18:27:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Braid
[2009/09/24 23:06:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Canon
[2009/08/30 19:28:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\DAEMON Tools Pro
[2009/08/30 18:00:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\DMCache
[2009/09/18 18:07:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\dvdcss
[2009/08/30 20:57:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\FALCOM
[2009/09/02 22:09:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Hamachi
[2009/08/30 18:00:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\IDM
[2009/08/30 18:12:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\ImgBurn
[2009/09/20 19:07:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\ImTOO Software Studio
[2009/10/24 10:18:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Passware
[2009/10/12 21:18:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Red Kawa
[2009/09/24 22:56:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\ScanSoft
[2009/08/30 19:13:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\Ubisoft
[2009/08/30 19:36:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\uTorrent
[2009/09/03 22:47:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Leonard\Application Data\ViStart
[2001/08/23 22:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/24 14:13:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/10/17 17:17:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

========== Purity Check ==========


< End of report >

Extras:

OTL Extras logfile created on: 24/10/2009 2:32:29 PM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Leonard\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.28 Gb Total Space | 10.39 Gb Free Space | 35.48% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
Drive E: | 30.20 Gb Total Space | 19.29 Gb Free Space | 63.88% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 465.76 Gb Total Space | 139.43 Gb Free Space | 29.94% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LENNY
Current User Name: Leonard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "G:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "G:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- G:\PROGRA~1\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"45889:TCP" = 45889:TCP:*:Enabled:asf
"45889:UDP" = 45889:UDP:*:Enabled:sdfsdfds

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"G:\Games\Left 4 Dead\left4dead.exe" = G:\Games\Left 4 Dead\left4dead.exe:*:Enabled:left4dead -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"G:\Program Files\CAPCOM\STREETFIGHTERIV\StreetFighterIV.exe" = G:\Program Files\CAPCOM\STREETFIGHTERIV\StreetFighterIV.exe:*:Enabled:STREET FIGHTER IV -- (CAPCOM U.S.A., INC.)
"G:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = G:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:iw3mp -- ()
"G:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe" = G:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV -- (Take-Two Interactive Software, Inc.)
"I:\Call of Duty - World at War\CoDWaW.exe" = I:\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty®: World at War Campaign/Coop -- File not found
"G:\Games\Call of Duty - World at War\CoDWaW.exe" = G:\Games\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty®: World at War Campaign/Coop -- (Activision Blizzard, Inc.)
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- File not found
"G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = G:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"G:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = G:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"G:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = G:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Nero\Nero ControlCenter\SetupX.exe" = C:\Program Files\Nero\Nero ControlCenter\SetupX.exe:*:Enabled:Nero ControlCenter -- File not found
"G:\Games\RESIDENT EVIL 5\RE5DX9.EXE" = G:\Games\RESIDENT EVIL 5\RE5DX9.EXE:*:Enabled:RESIDENT EVIL 5 -- (CAPCOM CO., LTD.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0E2B767B-EA6A-489B-BF83-8083FE1DB661}" = Pcsx2 0.9.6
"{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}" = Canon MF Toolbox 4.9.1.1.mf03
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{239A8D60-270B-42e8-82D3-60D70A2942E0}" = Canon MF4100 Series
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 15
"{29D851C2-048C-4B5E-8D1F-25D473342BB5}" = ScanSoft OmniPage SE 4.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}" = STREET FIGHTER IV
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{7B4A5C13-069F-4AFE-AE57-C497B4E33C7E}" = Call of Duty® 2 Patch 1.3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{8C729A21-1A80-417B-92B1-0C7193A29619}" = Grand Theft Auto IV
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9F9F4861-DBEE-4906-8FF0-AF12DB99168B}" = PicShrink
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A63993E0-BCFB-45D0-AF7C-B01E48DBE725}" = PS3 Vibration Joystick
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC28826B-12AD-45AE-BB1C-2272C958F564}" = Flash Card Manager
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B45FABE7-D101-4D99-A671-E16DA40AF7F0}" = Microsoft Games for Windows - LIVE
"{B578C85A-A84C-4230-A177-C5B2AF565B8C}" = Microsoft Games for Windows - LIVE Redistributable
"{BBBF4CFE-9D26-4D93-A869-B2B021B3CA85}" = Intel® PRO Network Connections 12.2.41.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DD929BD3-5D41-4407-BE04-119B4A631869}" = Canon MF Toolbox 4.9.1.1.mf03
"{DF204E20-C29C-4434-BCFE-D9BAF76CEF8D}" = Sun ODF Plugin for Microsoft Office 3.1
"{E07F7571-7193-4505-B017-FDC6525CA0B7}" = ATI AVIVO Codecs
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{EA52A1AC-D35D-4D25-8686-9466FE2C5CE5}" = Presto! PageManager 7.15.11
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"7-Zip" = 7-Zip 4.65
"AC3Filter" = AC3Filter (remove only)
"Accurate Shutdown_is1" = Accurate Shutdown 6.30
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"AnyDVD" = AnyDVD
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG 9.0
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner (remove only)
"CloneDVD" = CloneDVD
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"DVD Decrypter" = DVD Decrypter (Remove Only)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"gBurner" = gBurner
"HaaliMkx" = Haali Media Splitter
"ImgBurn" = ImgBurn
"ImTOO iPhone Video Converter" = ImTOO iPhone Video Converter
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"Internet Download Manager" = Internet Download Manager
"iPhone_Backup_Switch_1.0" = iPhone Backup Switch
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.0.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"myibay eBay bid sniper_is1" = myibay eBay bid sniper 1.0.40
"PSP Video 9" = PSP Video 9 5.03
"SmartClose.{7F22CBCB-92B5-4F5D-9A34-BB690215BEF2}_is1" = SmartClose 1.1
"Softonic-Eng3 Toolbar" = Softonic-Eng3 Toolbar
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Tansee iPhone Transfer_is1" = Tansee iPhone Transfer
"TVwriter_is1" = TVwriter V2.3.2.91
"VLC media player" = VLC media player 1.0.2
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-583907252-484763869-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18/10/2009 8:43:48 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application nero.exe, version 8.2.8.0, faulting module nosproductregistration.dll,
version 1.4.5.0, fault address 0x00040568.

Error - 18/10/2009 8:43:48 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application nero.exe, version 8.2.8.0, faulting module nosproductregistration.dll,
version 1.4.5.0, fault address 0x00040568.

Error - 23/10/2009 9:19:30 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3523, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0004f029.

Error - 23/10/2009 9:19:33 PM | Computer Name = LENNY | Source = Application Error | ID = 1001
Description = Fault bucket 1456865342.

Error - 23/10/2009 9:46:13 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3523, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0004f029.

Error - 23/10/2009 9:46:15 PM | Computer Name = LENNY | Source = Application Error | ID = 1001
Description = Fault bucket 1456865342.

Error - 23/10/2009 10:08:41 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3523, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0004f029.

Error - 23/10/2009 10:54:07 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3523, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0004f029.

Error - 23/10/2009 11:26:11 PM | Computer Name = LENNY | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3523, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0004f029.

Error - 23/10/2009 11:26:17 PM | Computer Name = LENNY | Source = Application Error | ID = 1001
Description = Fault bucket 1456865342.

[ System Events ]
Error - 4/10/2009 7:45:51 PM | Computer Name = LENNY | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.4 for the Network Card with network
address 001D60DC8E6A has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 4/10/2009 9:26:55 PM | Computer Name = LENNY | Source = Schannel | ID = 36881
Description = The certificate received from the remote server has expired. The SSL
connection request has failed. The attached data contains the server certificate.

Error - 4/10/2009 10:08:10 PM | Computer Name = LENNY | Source = DCOM | ID = 10010
Description = The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register
with DCOM within the required timeout.

Error - 4/10/2009 10:11:17 PM | Computer Name = LENNY | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume E:.

Error - 4/10/2009 10:18:18 PM | Computer Name = LENNY | Source = Schannel | ID = 36881
Description = The certificate received from the remote server has expired. The SSL
connection request has failed. The attached data contains the server certificate.

Error - 4/10/2009 10:28:45 PM | Computer Name = LENNY | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring
the volume.


< End of report >


gmer.log:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-24 14:35:52
Windows 5.1.2600 Service Pack 2
Running: 9b84v90f.exe; Driver: C:\DOCUME~1\Leonard\LOCALS~1\Temp\fxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT spbx.sys ZwCreateKey [0xB9EA70E0]
SSDT spbx.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spbx.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT spbx.sys ZwOpenKey [0xB9EA70C0]
SSDT spbx.sys ZwQueryKey [0xB9EC610A]
SSDT spbx.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT spbx.sys ZwSetValueKey [0xB9EC619C]

INT 0x74 ? 8A339BF8
INT 0x83 ? 8A709BF8
INT 0x83 ? 8A709BF8
INT 0x83 ? 8A339BF8
INT 0x83 ? 8A709BF8
INT 0x84 ? 8A339BF8
INT 0x94 ? 8A339BF8
INT 0x94 ? 8A339BF8
INT 0x94 ? 8A339BF8
INT 0x94 ? 8A339BF8
INT 0xA4 ? 8A339BF8
INT 0xB1 ? 8A70CBF8
INT 0xB1 ? 8A70CBF8
INT 0xB4 ? 8A709BF8
INT 0xB4 ? 8A709BF8
INT 0xB4 ? 8A709BF8
INT 0xB4 ? 8A709BF8
INT 0xB4 ? 8A709BF8

Code 8A34F9D0 ZwFlushInstructionCache
Code 8A3510BE ZwSaveKey
Code 8A350386 ZwSaveKeyEx
Code 8A354AD6 IofCallDriver
Code 8A49A8EE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEEB8 5 Bytes JMP 8A354ADB
.text ntkrnlpa.exe!IofCompleteRequest 804EEF48 5 Bytes JMP 8A49A8F3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51CE 5 Bytes JMP 8A34F9D4
PAGE ntkrnlpa.exe!ZwSaveKey 806204F2 5 Bytes JMP 8A3510C2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 80620582 5 Bytes JMP 8A35038A
? spbx.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B98E062C 5 Bytes JMP 8A3391D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!FindResourceExW 7C80AB10 4 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!FindResourceExW + 5 7C80AB15 2 Bytes [CC, CC] {INT 3 ; INT 3 }
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!LockResource 7C80C6CF 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!FindResourceA 7C80C7B1 7 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] kernel32.dll!FindResourceExA 7C822C2D 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ADVAPI32.dll!CryptDeriveKey 77DEA685 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ADVAPI32.dll!CryptDecrypt 77DEA7B1 2 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ADVAPI32.dll!CryptDecrypt + 3 77DEA7B4 4 Bytes [21, B0, CC, CC]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!GetWindowLongW 77D4887E 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!PeekMessageW 77D49278 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!SetWindowRgn 77D51DE0 7 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!LoadIconW 77D52174 5 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!LoadImageW 77D542A4 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!CreateDialogParamW 77D6629F 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!SetWindowPlacement 77D6FBEA 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] USER32.dll!TrackPopupMenuEx 77D9CAFE 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WS2_32.dll!send 71AB428A 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WS2_32.dll!recv 71AB615A 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] SHELL32.dll!Shell_NotifyIconW 7CA37CE1 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ole32.dll!CoInitializeEx 774F42F3 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] ole32.dll!CoRegisterClassObject 77541BFC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WININET.dll!HttpOpenRequestA 771C4AC5 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WININET.dll!InternetCloseHandle 771C61DC 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WININET.dll!HttpSendRequestA 771C76B8 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1996] WININET.dll!InternetReadFile 771C9555 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spbx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spbx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spbx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spbx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spbx.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spbx.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A21D500
Device \FileSystem\Fastfat \FatCdrom 8A7081F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8A3361F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A69A1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A69A1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A69A1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A69A1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A3361F8
Device \Driver\usbuhci \Device\USBPDO-2 8A3361F8
Device \Driver\usbehci \Device\USBPDO-3 8A2EC1F8
Device \Driver\usbuhci \Device\USBPDO-4 8A3361F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 8A3361F8
Device \Driver\usbuhci \Device\USBPDO-6 8A3361F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A70A1F8
Device \Driver\usbehci \Device\USBPDO-7 8A2EC1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A70A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-13 8A7091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-13 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-1b 8A7091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-1b AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A7091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort0 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort2 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort2 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort3 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort3 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort4 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort4 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort5 8A7091F8
Device \Driver\atapi \Device\Ide\IdePort5 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A70A1F8
Device \Driver\PCI_PNP4702 \Device\0000003d spbx.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A31D500
Device \Driver\PCI_PNP4702 \Device\0000003e spbx.sys
Device \Driver\NetBT \Device\NetbiosSmb 8A31D500
Device \Driver\sptd \Device\923238452 spbx.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{C433F89E-CDA2-4825-830C-82C3B9BAE18F} 8A31D500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A3361F8
Device \Driver\usbuhci \Device\USBFDO-1 8A3361F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A186500
Device \Driver\usbuhci \Device\USBFDO-2 8A3361F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A186500
Device \Driver\usbehci \Device\USBFDO-3 8A2EC1F8
Device \Driver\usbuhci \Device\USBFDO-4 8A3361F8
Device \Driver\sptd \Device\923394702 spbx.sys
Device \Driver\Ftdisk \Device\FtControl 8A70A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8A3361F8
Device \Driver\usbuhci \Device\USBFDO-6 8A3361F8
Device \Driver\usbehci \Device\USBFDO-7 8A2EC1F8
Device \Driver\a0f8k320 \Device\Scsi\a0f8k3201Port7Path0Target0Lun0 8A11A1F8
Device \Driver\a0f8k320 \Device\Scsi\a0f8k3201Port7Path0Target0Lun0 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\a0f8k320 \Device\Scsi\a0f8k3201 8A11A1F8
Device \Driver\a0f8k320 \Device\Scsi\a0f8k3201 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\a8o895y2 \Device\Scsi\a8o895y21 8A1171F8
Device \FileSystem\Fastfat \Fat 8A7081F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A1E1500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gasfkyowydybmk.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1508] 0x10000000
Library \\?\globalroot\systemroot\system32\gasfkyowydybmk.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2044] 0x007E0000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkyjkohrlnp.sys (*** hidden *** ) [SYSTEM] gasfkywrcfjiee <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 23 October 2009 - 11:03 PM

Hello,
Thanks for the detailed info and prompt response. :(

==========

My local disk D was suddenly formatted, and when I try to format it, it says ; The disk in drive D cannot be formatted.

What do you mean it was suddenly "formatted"? What data did you have on that partition? Was it just data or a bootable partition?

==========

The data in New volume E is no longer accessable

Bootable partition or just data?

==========

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

:( P2P Warning :)

Your log indicates that you have uTorrent installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Remote Control Program WARNING
You appear to have a Remote Control application installed. In your case, this is refering to LogMeIn.
Remote Control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning but if you wish you may wish to uninstall it as it is a risk. If you didn't install this application, please remove (uninstall) it from Add or Remove Programs now.

==========

Please make sure all drives are connected for the entire cleanup process!

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
==========

With your next post please provide:

* Answer to my questions
* Combofix.txt
* Bootcheck.txt

I am going to sleep now. I will be back tomorrow.
Kind regards,
~t

Edited by thcbytes, 23 October 2009 - 11:05 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 24 October 2009 - 06:35 AM

D and E are just data.

When I try to run combofix, it closes and my computer automatically reboots.

When I try to run bootcheck, it gives me a WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of boot.ini:


and also, in the tray:

The file or directory E:\ is corrupt and unreadable. Please run the Chkdsk utility.

I have run chkdsk many times and this still pops up.

I will be sleeping as well. I will come back to try and reply asap.

Edited by lenny.coffee, 24 October 2009 - 06:35 AM.


#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 24 October 2009 - 08:51 AM

Hello again,

You have a seriously infected computer. :(

When I try to run combofix, it closes and my computer automatically reboots.

Did Combofix run at all?? I suspect the answer is no. Did it produce a log? If so you will find it here...
C:\ComboFix.txt

==========

Contents of boot.ini:

This is what you received? No other data...yes?

==========

If Combofix did not successfully run then this is what we need to do. First we need to disable that rootkit then we need to fix your boot.ini so we can get a Recovery Console installed. Fair warning!!! We are walking on eggshells. Until we successfully accomplish those 2 steps we could get into some trouble here.

With this next run of Combofix it is going to throw a variety of different warnings....like "the Recovery Console was not installed do you want to continue" and "running in safe Mode at reduced functionality". Please answer yes and proceed regardless.

==========

Lets continue............

Right click and delete Combofix!

Download and Run ComboFix (by sUBs) in Safe Mode

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

==========

Now reboot into Safe Mode.
  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option with networking support.
  • Please see here for additional details.
==========
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Please do this........

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    boot.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


==========

With your next post please provide:

* Answer to questions
* Combofix.txt
* SystemLook log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 24 October 2009 - 08:29 PM

Combofix did not run, as there was no log in C drive.

That was all that was in the boot.ini.


-------
I downloaded Combofix and opened it.

When it gets to the line , attemping to create a new system restore point: the system tray says: nircmd.cfxxe - corrupt file: The file or difrectory E:\ is corrupt and unreable, Please run chkdsk utility.

It downloads the recovery console, when it gets to 100% it says Error: boot partition cannot be enumerated correctly.

When its scanning for infected files: PEV.cfxxe has encountered a problem and needs to close.

This rebooted my computer, and then combofix started to scan. During the many stages a popup came up many times: The file or difrectory E:\ is corrupt and unreable, Please run chkdsk utility.


Combofix:

ComboFix 09-10-24.01 - Leonard 25/10/2009 12:18.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3327.2848 [GMT 11:00]
Running from: c:\documents and settings\Leonard\Desktop\thcbytes.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Leonard\Application Data\file1.exe
c:\documents and settings\Leonard\Application Data\QUAD Backups
c:\documents and settings\Leonard\Application Data\QUAD Backups\10.25.2009,11-08-45\Automatic.reg
c:\windows\system32\288261769.dll
c:\windows\system32\AVSredirect.dll
c:\windows\system32\microday08.dll
c:\windows\system32\MTX0CI.dll
c:\windows\system32\mypath0079.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 00:16 . 2009-10-25 00:16 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-24 23:59 . 2009-10-24 23:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software
2009-10-24 23:58 . 2009-10-24 23:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\TuneUp Software
2009-10-24 07:26 . 2009-10-24 07:26 -------- d-----w- C:\thcbytes29054t
2009-10-24 07:06 . 2009-10-24 07:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\AltrixSoft
2009-10-24 07:05 . 2009-10-24 07:05 -------- d-----w- c:\documents and settings\Leonard\Application Data\IObit
2009-10-24 04:52 . 2009-10-24 04:52 -------- d-----w- C:\thcbytes
2009-10-24 04:21 . 2009-10-24 04:21 -------- d-----w- c:\program files\Windows Sidebar
2009-10-24 04:06 . 2007-08-03 01:48 3974440 ----a-w- c:\windows\system32\AdvrCntr3.dll
2009-10-24 03:14 . 2009-10-25 01:53 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 03:14 . 2009-10-25 01:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 03:14 . 2009-10-25 01:53 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 01:01 . 2009-08-26 04:04 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-10-24 00:12 . 2009-10-24 00:12 -------- d-----w- c:\program files\Driver-Soft
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\program files\AVG
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2009-10-23 23:18 . 2009-10-23 23:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Passware
2009-10-16 11:08 . 2009-10-16 11:08 -------- d-sh--w- c:\windows\ftpcache
2009-10-16 10:57 . 2009-10-16 10:58 -------- d-----w- c:\program files\gBurner
2009-10-12 12:11 . 2009-10-12 12:11 -------- d-----w- c:\documents and settings\Leonard\Application Data\SunODFPluginforMicrosoftOffice
2009-10-12 11:14 . 2009-10-12 11:14 -------- d-----w- c:\documents and settings\Leonard\.SunDownloadManager
2009-10-12 10:18 . 2009-10-12 10:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Red Kawa
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Geckofx
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\program files\Red Kawa
2009-10-12 09:44 . 2004-01-24 13:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2009-10-12 09:44 . 2009-10-12 09:44 -------- d-----w- c:\program files\eRightSoft
2009-10-11 14:50 . 2009-10-11 14:50 -------- d-----w- c:\documents and settings\Leonard\Application Data\vlc
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Softonic-Eng3
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\program files\Softonic-Eng3
2009-10-11 14:05 . 2009-10-11 14:05 -------- d-----w- c:\program files\AC3Filter
2009-10-10 06:17 . 2009-10-10 06:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iPod
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iTunes
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-04 03:54 . 2009-10-04 03:54 -------- d-----w- c:\program files\QuickTime
2009-10-01 09:50 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-10-01 09:50 . 2009-09-04 06:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-10-01 09:50 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-29 11:03 . 2009-09-29 11:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-09-29 05:50 . 2009-09-29 05:50 -------- d-----w- c:\program files\Trend Micro
2009-09-28 09:40 . 2009-09-28 09:40 -------- d-----w- C:\iPhone Backup Switch
2009-09-28 09:40 . 2009-09-28 09:40 737280 ----a-w- c:\windows\iun6002.exe
2009-09-26 13:59 . 2009-09-26 13:59 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Apple_Inc
2009-09-26 13:58 . 2006-10-26 08:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft Works
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft.NET
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\windows\SHELLNEW
2009-09-26 13:48 . 2009-09-26 13:48 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 06:30 . 2000-12-19 12:02 594944 ----a-w- c:\windows\system32\iplPX.dll
2009-09-25 06:30 . 2000-12-19 12:02 7680 ----a-w- c:\windows\system32\ipl.dll
2009-09-25 06:30 . 2000-11-17 12:48 220160 ----a-w- c:\windows\system32\lpng-px.dll
2009-09-25 06:30 . 2000-09-07 12:51 19968 ----a-w- c:\windows\system32\Cpuinf32.dll
2009-09-25 06:10 . 2009-09-25 06:10 -------- d-----w- c:\program files\SatSignal Software
2009-09-25 02:48 . 2009-09-25 02:48 -------- d-----w- c:\documents and settings\Leonard\Application Data\Nero
2009-09-25 02:47 . 2009-09-25 02:47 -------- d-----w- c:\program files\Common Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 11:01 . 2009-10-08 11:01 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-09-27 07:35 . 2009-08-29 14:43 418664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-26 20:19 . 2009-08-27 09:04 75032 ----a-w- c:\documents and settings\Leonard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 00:14 . 2009-09-25 00:14 -------- d-----w- c:\program files\Elaborate Bytes
2009-09-25 00:12 . 2009-09-25 00:12 -------- d-----w- c:\program files\SlySoft
2009-09-24 12:06 . 2009-09-24 12:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\Canon
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\NewSoft
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\Common Files\PDFView
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\Leonard\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\ScanSoft
2009-09-24 11:55 . 2009-09-24 11:55 -------- d-----w- c:\program files\Canon
2009-09-20 08:49 . 2009-09-20 08:49 -------- d-----w- c:\program files\ImTOO
2009-09-20 08:07 . 2009-09-20 08:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImTOO Software Studio
2009-09-20 07:29 . 2009-09-20 07:29 -------- d-----w- c:\program files\4Leaf Media Software
2009-09-18 07:07 . 2009-09-18 07:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\dvdcss
2009-09-18 01:38 . 2009-09-18 01:37 -------- d-----w- c:\program files\Digiarty
2009-09-16 13:14 . 2009-09-16 13:14 -------- d-----w- c:\program files\Flash Card Manager
2009-09-16 07:14 . 2009-09-16 07:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-15 00:03 . 2009-09-15 00:03 -------- d-----w- c:\program files\USB Vibration
2009-09-14 12:58 . 2009-09-14 12:58 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\.myibay
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\program files\myibay
2009-09-04 12:31 . 2009-09-04 12:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-04 07:04 . 2009-09-04 07:04 -------- d-----w- c:\program files\Alcohol Soft
2009-09-04 06:59 . 2009-08-30 07:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 06:57 . 2009-09-04 06:57 -------- d-----w- c:\program files\DVD Decrypter
2009-09-04 06:44 . 2009-08-30 08:12 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-03 11:47 . 2009-09-03 11:47 -------- d-----w- c:\documents and settings\Leonard\Application Data\ViStart
2009-09-03 07:27 . 2009-09-03 07:27 -------- d-----w- c:\documents and settings\Leonard\Application Data\Braid
2009-09-02 12:32 . 2009-09-02 12:32 -------- d-----w- c:\program files\7-Zip
2009-09-02 11:09 . 2009-09-02 11:09 -------- d-----w- c:\documents and settings\Leonard\Application Data\Hamachi
2009-09-02 11:09 . 2009-09-02 11:09 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-09-01 06:10 . 2009-09-01 06:10 -------- d-----w- c:\program files\SmartClose
2009-08-31 09:10 . 2009-08-31 09:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2009-08-30 13:17 . 2009-08-30 13:17 -------- d-----w- c:\program files\Accurate Shutdown
2009-08-30 09:57 . 2009-08-30 09:57 -------- d-----w- c:\documents and settings\Leonard\Application Data\FALCOM
2009-08-30 09:29 . 2009-08-30 09:29 -------- d-----w- c:\program files\Tansee iPhone Transfer
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\program files\uTorrent
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\documents and settings\Leonard\Application Data\uTorrent
2009-08-30 08:30 . 2009-08-30 08:30 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-08-30 08:29 . 2009-08-30 08:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DAEMON Tools Pro
2009-08-30 08:28 . 2009-08-30 08:28 -------- d-----w- c:\documents and settings\Leonard\Application Data\DAEMON Tools Pro
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\Leonard\Application Data\Ubisoft
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ubisoft
2009-08-30 07:41 . 2009-08-30 07:41 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Microsoft
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live
2009-08-30 07:34 . 2009-08-30 07:34 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-30 07:33 . 2009-08-30 07:33 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Media Player Classic
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Haali
2009-08-30 07:16 . 2009-08-30 07:15 -------- d-----w- c:\program files\CoreCodec
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\Java
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\CCleaner
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\Google
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\SpywareBlaster
2009-08-30 07:11 . 2009-08-30 07:11 -------- d-----w- c:\program files\VideoLAN
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\IDM
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\DMCache
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\program files\Internet Download Manager
2009-08-30 06:59 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\Apple Computer
2009-08-30 06:58 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Realtek
2009-08-27 10:25 . 2009-08-27 10:25 315392 ----a-w- c:\windows\HideWin.exe
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Intel
2009-08-27 10:23 . 2009-08-27 10:23 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-27 10:21 . 2009-08-27 10:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\ATI Technologies
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-27 08:21 . 2009-08-27 08:21 -------- d-----w- c:\program files\microsoft frontpage
2009-08-27 08:19 . 2009-08-27 08:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b592e943-0cb6-482c-849e-a2311298cdfd}]
2009-09-23 00:50 2261016 ----a-w- c:\program files\Softonic-Eng3\tbSoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B592E943-0CB6-482C-849E-A2311298CDFD}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-07-20 2815408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-13 289072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ats"="c:\windows\system32\asd\loadqm.exe" [2005-08-26 659456]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2003-09-29 175616]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-25 2010904]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Leonard\Start Menu\Programs\Startup\
myibay eBay bid sniper.lnk - c:\program files\myibay\myibay.exe [2009-9-6 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\E:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Games\\Left 4 Dead\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"g:\\Games\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Games\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45889:TCP"= 45889:TCP:asf
"45889:UDP"= 45889:UDP:sdfsdfds

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [24/10/2009 2:14 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/10/2009 2:14 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/10/2009 2:14 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [24/10/2009 2:14 PM 285392]
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Leonard\Application Data\Mozilla\Firefox\Profiles\qjex6qtl.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en&source=iglk
FF - component: c:\documents and settings\Leonard\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: g:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 12:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ats = c:\windows\system32\asd\loadqm.exe noshow???????????<???C?:?\?W?I?N?D?O

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-25 12:23
ComboFix-quarantined-files.txt 2009-10-25 01:23

Pre-Run: 10,696,212,480 bytes free
Post-Run: 10,873,634,816 bytes free

- - End Of File - - 0FFA1BA2E7FF8FCE2046FAF3054661D2

Systemlook:


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:27 on 25/10/2009 by Leonard (Administrator - Elevation successful)

========== filefind ==========

Searching for "boot.*"
C:\thcbytes29054t\Boot.bat --a--- 7807 bytes [07:25 24/10/2009] [18:28 22/10/2009] C18BC8E579E2A5D18A896244E51B8EE8
C:\thcbytes\Boot.bat --a--- 7807 bytes [04:52 24/10/2009] [18:28 22/10/2009] C18BC8E579E2A5D18A896244E51B8EE8

-=End Of File=-

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 24 October 2009 - 10:28 PM

A little progress. Much work to do!!

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to delete:C:\WINDOWS\system32\drivers\gasfkyjkohrlnp.sysDrivers to disable:gasfkywrcfjieeDrivers to delete:gasfkywrcfjiee
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

I want you to try Combofix a different way this time. Again right click and delete the current copy.

Please remove all older versions of ComboFix you currently have.

**Print this page as we will kill our internet connection temporarily**

Download a new version of ComboFix from any of the links below and save it to your Desktop.Now please run ComboFix using these instructions:
  • Close all applications and windows (including this one) so that you have nothing open and are at your Desktop.
  • Go to Start -> Run...
  • Copy the entire contents inside the CODE box below (do NOT copy the word "CODE" from the CODE box!), and paste them into the empty "Open:" box provided:
    "%userprofile%\Desktop\ComboFix.exe" /killall
  • Click OK and follow the on-screen prompts. You again will receive a variety of warnings about the recovery console not installed etc.. Please proceed regardless! : "You do not appear to be connected to the internet. Kindly connect before clicking 'OK'". At that point, do NOT click OK yet, but instead, please do this:
    • Go to Start -> Control Panel -> Network and Internet Connections -> Network Connections
    • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click Repair
    • Once done, click Close and exit the Network Connections window.
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleaning the system.
==========

With your next post please provide:

* Avenger.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 24 October 2009 - 11:32 PM

When I rebooted, I got a 'Unhandled exception occured. Press abort to etc...

As it was 'shutting down' I got a BSOD with STOP: 0x0000007E

I rebooted my computer twice and there is no log in the C drive for avenger.

After clicking repair, the system tray said: nircmd.cfxxe- corrupt file, E:\ corrupt etc...

After continuing combofix after repairing connection: I got error: boot partition cannot be enumerated correctly.

While it was scanning: PEV.cfxxe has encountered a problem, needs to close etc
and it rebooted my computer

Combofix

ComboFix 09-10-24.01 - Leonard 25/10/2009 15:21.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3327.2704 [GMT 11:00]
Running from: c:\documents and settings\Leonard\Desktop\ComboFix.exe
Command switches used :: /killall
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\cjyuu.sys
c:\windows\system32\microday08.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 03:57 . 2009-10-25 03:57 0 ----a-w- C:\backup.reg
2009-10-25 01:13 . 2009-10-25 01:13 -------- d-----w- C:\thcbytes20646t
2009-10-25 00:16 . 2009-10-25 00:16 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-24 23:59 . 2009-10-24 23:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software
2009-10-24 23:58 . 2009-10-24 23:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\TuneUp Software
2009-10-24 07:26 . 2009-10-24 07:26 -------- d-----w- C:\thcbytes29054t
2009-10-24 07:06 . 2009-10-24 07:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\AltrixSoft
2009-10-24 07:05 . 2009-10-24 07:05 -------- d-----w- c:\documents and settings\Leonard\Application Data\IObit
2009-10-24 04:52 . 2009-10-24 04:52 -------- d-----w- C:\thcbytes
2009-10-24 04:21 . 2009-10-24 04:21 -------- d-----w- c:\program files\Windows Sidebar
2009-10-24 04:06 . 2007-08-03 01:48 3974440 ----a-w- c:\windows\system32\AdvrCntr3.dll
2009-10-24 03:14 . 2009-10-25 01:53 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 03:14 . 2009-10-25 01:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 03:14 . 2009-10-25 01:53 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 01:01 . 2009-08-26 04:04 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-10-24 00:12 . 2009-10-24 00:12 -------- d-----w- c:\program files\Driver-Soft
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\program files\AVG
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2009-10-23 23:18 . 2009-10-23 23:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Passware
2009-10-16 11:08 . 2009-10-16 11:08 -------- d-sh--w- c:\windows\ftpcache
2009-10-16 10:57 . 2009-10-16 10:58 -------- d-----w- c:\program files\gBurner
2009-10-12 12:11 . 2009-10-12 12:11 -------- d-----w- c:\documents and settings\Leonard\Application Data\SunODFPluginforMicrosoftOffice
2009-10-12 11:14 . 2009-10-12 11:14 -------- d-----w- c:\documents and settings\Leonard\.SunDownloadManager
2009-10-12 10:18 . 2009-10-12 10:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Red Kawa
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Geckofx
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\program files\Red Kawa
2009-10-12 09:44 . 2004-01-24 13:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2009-10-12 09:44 . 2009-10-12 09:44 -------- d-----w- c:\program files\eRightSoft
2009-10-11 14:50 . 2009-10-11 14:50 -------- d-----w- c:\documents and settings\Leonard\Application Data\vlc
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Softonic-Eng3
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\program files\Softonic-Eng3
2009-10-11 14:05 . 2009-10-11 14:05 -------- d-----w- c:\program files\AC3Filter
2009-10-10 06:17 . 2009-10-10 06:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iPod
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iTunes
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-04 03:54 . 2009-10-04 03:54 -------- d-----w- c:\program files\QuickTime
2009-10-01 09:50 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-10-01 09:50 . 2009-09-04 06:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-10-01 09:50 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-29 11:03 . 2009-09-29 11:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-09-29 05:50 . 2009-09-29 05:50 -------- d-----w- c:\program files\Trend Micro
2009-09-28 09:40 . 2009-09-28 09:40 -------- d-----w- C:\iPhone Backup Switch
2009-09-28 09:40 . 2009-09-28 09:40 737280 ----a-w- c:\windows\iun6002.exe
2009-09-26 13:59 . 2009-09-26 13:59 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Apple_Inc
2009-09-26 13:58 . 2006-10-26 08:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft Works
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft.NET
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\windows\SHELLNEW
2009-09-26 13:48 . 2009-09-26 13:48 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 06:30 . 2000-12-19 12:02 594944 ----a-w- c:\windows\system32\iplPX.dll
2009-09-25 06:30 . 2000-12-19 12:02 7680 ----a-w- c:\windows\system32\ipl.dll
2009-09-25 06:30 . 2000-11-17 12:48 220160 ----a-w- c:\windows\system32\lpng-px.dll
2009-09-25 06:30 . 2000-09-07 12:51 19968 ----a-w- c:\windows\system32\Cpuinf32.dll
2009-09-25 06:10 . 2009-09-25 06:10 -------- d-----w- c:\program files\SatSignal Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 11:01 . 2009-10-08 11:01 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-09-27 07:35 . 2009-08-29 14:43 418664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-26 20:19 . 2009-08-27 09:04 75032 ----a-w- c:\documents and settings\Leonard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 02:48 . 2009-09-25 02:48 -------- d-----w- c:\documents and settings\Leonard\Application Data\Nero
2009-09-25 02:47 . 2009-09-25 02:47 -------- d-----w- c:\program files\Common Files\Nero
2009-09-25 00:14 . 2009-09-25 00:14 -------- d-----w- c:\program files\Elaborate Bytes
2009-09-25 00:12 . 2009-09-25 00:12 -------- d-----w- c:\program files\SlySoft
2009-09-24 12:06 . 2009-09-24 12:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\Canon
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\NewSoft
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\Common Files\PDFView
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\Leonard\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\ScanSoft
2009-09-24 11:55 . 2009-09-24 11:55 -------- d-----w- c:\program files\Canon
2009-09-20 08:49 . 2009-09-20 08:49 -------- d-----w- c:\program files\ImTOO
2009-09-20 08:07 . 2009-09-20 08:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImTOO Software Studio
2009-09-20 07:29 . 2009-09-20 07:29 -------- d-----w- c:\program files\4Leaf Media Software
2009-09-18 07:07 . 2009-09-18 07:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\dvdcss
2009-09-18 01:38 . 2009-09-18 01:37 -------- d-----w- c:\program files\Digiarty
2009-09-16 13:14 . 2009-09-16 13:14 -------- d-----w- c:\program files\Flash Card Manager
2009-09-16 07:14 . 2009-09-16 07:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-15 00:03 . 2009-09-15 00:03 -------- d-----w- c:\program files\USB Vibration
2009-09-14 12:58 . 2009-09-14 12:58 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\.myibay
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\program files\myibay
2009-09-04 12:31 . 2009-09-04 12:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-04 07:04 . 2009-09-04 07:04 -------- d-----w- c:\program files\Alcohol Soft
2009-09-04 06:59 . 2009-08-30 07:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 06:57 . 2009-09-04 06:57 -------- d-----w- c:\program files\DVD Decrypter
2009-09-04 06:44 . 2009-08-30 08:12 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-03 11:47 . 2009-09-03 11:47 -------- d-----w- c:\documents and settings\Leonard\Application Data\ViStart
2009-09-03 07:27 . 2009-09-03 07:27 -------- d-----w- c:\documents and settings\Leonard\Application Data\Braid
2009-09-02 12:32 . 2009-09-02 12:32 -------- d-----w- c:\program files\7-Zip
2009-09-02 11:09 . 2009-09-02 11:09 -------- d-----w- c:\documents and settings\Leonard\Application Data\Hamachi
2009-09-02 11:09 . 2009-09-02 11:09 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-09-01 06:10 . 2009-09-01 06:10 -------- d-----w- c:\program files\SmartClose
2009-08-31 09:10 . 2009-08-31 09:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2009-08-30 13:17 . 2009-08-30 13:17 -------- d-----w- c:\program files\Accurate Shutdown
2009-08-30 09:57 . 2009-08-30 09:57 -------- d-----w- c:\documents and settings\Leonard\Application Data\FALCOM
2009-08-30 09:29 . 2009-08-30 09:29 -------- d-----w- c:\program files\Tansee iPhone Transfer
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\program files\uTorrent
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\documents and settings\Leonard\Application Data\uTorrent
2009-08-30 08:30 . 2009-08-30 08:30 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-08-30 08:29 . 2009-08-30 08:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DAEMON Tools Pro
2009-08-30 08:28 . 2009-08-30 08:28 -------- d-----w- c:\documents and settings\Leonard\Application Data\DAEMON Tools Pro
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\Leonard\Application Data\Ubisoft
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ubisoft
2009-08-30 07:41 . 2009-08-30 07:41 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Microsoft
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live
2009-08-30 07:34 . 2009-08-30 07:34 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-30 07:33 . 2009-08-30 07:33 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Media Player Classic
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Haali
2009-08-30 07:16 . 2009-08-30 07:15 -------- d-----w- c:\program files\CoreCodec
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\Java
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\CCleaner
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\Google
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\SpywareBlaster
2009-08-30 07:11 . 2009-08-30 07:11 -------- d-----w- c:\program files\VideoLAN
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\IDM
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\DMCache
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\program files\Internet Download Manager
2009-08-30 06:59 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\Apple Computer
2009-08-30 06:58 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Realtek
2009-08-27 10:25 . 2009-08-27 10:25 315392 ----a-w- c:\windows\HideWin.exe
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Intel
2009-08-27 10:23 . 2009-08-27 10:23 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-27 10:21 . 2009-08-27 10:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\ATI Technologies
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-27 08:21 . 2009-08-27 08:21 -------- d-----w- c:\program files\microsoft frontpage
2009-08-27 08:19 . 2009-08-27 08:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.22.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 04:27 . 2009-10-25 04:27 16384 c:\windows\Temp\Perflib_Perfdata_744.dat
+ 2009-08-27 09:02 . 2009-10-25 04:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-27 09:02 . 2009-10-25 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-27 09:02 . 2009-10-25 04:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-27 09:02 . 2009-10-25 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-08-27 09:02 . 2009-10-25 04:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-08-27 09:02 . 2009-10-25 01:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b592e943-0cb6-482c-849e-a2311298cdfd}]
2009-09-23 00:50 2261016 ----a-w- c:\program files\Softonic-Eng3\tbSoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B592E943-0CB6-482C-849E-A2311298CDFD}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-07-20 2815408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-13 289072]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ats"="c:\windows\system32\asd\loadqm.exe" [2005-08-26 659456]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2003-09-29 175616]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-25 2010904]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Leonard\Start Menu\Programs\Startup\
myibay eBay bid sniper.lnk - c:\program files\myibay\myibay.exe [2009-9-6 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\E:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Games\\Left 4 Dead\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"g:\\Games\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Games\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45889:TCP"= 45889:TCP:asf
"45889:UDP"= 45889:UDP:sdfsdfds

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [24/10/2009 2:14 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/10/2009 2:14 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/10/2009 2:14 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [24/10/2009 2:14 PM 285392]
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Leonard\Application Data\Mozilla\Firefox\Profiles\qjex6qtl.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en&source=iglk
FF - component: c:\documents and settings\Leonard\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: g:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 15:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ats = c:\windows\system32\asd\loadqm.exe noshow???y???????@???@?????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2852)
gasfkyowydybmk.dll 10000000 32768 \\?\globalroot\systemroot\system32\gasfkyowydybmk.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\combofix\CF13237.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 04:29

Pre-Run: 10,768,367,616 bytes free
Post-Run: 10,770,317,312 bytes free

- - End Of File - - A63DE4FF12FFE2CB8E533C66F5E0D419

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 25 October 2009 - 12:31 AM

Still more progress.

Please do this.....

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen with briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Please re-run Gmer and post a log

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\HideWin.exe
c:\windows\iun6002.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

With your next post please provide:

* Gmer log
* Combofix log
* How is your computer running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 lenny.coffee

lenny.coffee
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 25 October 2009 - 01:48 AM

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-25 17:02:38
Windows 5.1.2600 Service Pack 2
Running: u60b4q4u.exe; Driver: C:\DOCUME~1\Leonard\LOCALS~1\Temp\fxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT sprq.sys ZwCreateKey [0xB9EA70E0]
SSDT sprq.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT sprq.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT sprq.sys ZwOpenKey [0xB9EA70C0]
SSDT sprq.sys ZwQueryKey [0xB9EC610A]
SSDT sprq.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT sprq.sys ZwSetValueKey [0xB9EC619C]

INT 0x74 ? 8AEA3F00
INT 0x83 ? 8B109BF8
INT 0x83 ? 8B109BF8
INT 0x83 ? 8AEA3F00
INT 0x83 ? 8B109BF8
INT 0x84 ? 8AEA3F00
INT 0x94 ? 8AEA3F00
INT 0x94 ? 8AEA3F00
INT 0x94 ? 8AEA3F00
INT 0x94 ? 8AEA3F00
INT 0xA4 ? 8AEA3F00
INT 0xB1 ? 8B10CBF8
INT 0xB1 ? 8B10CBF8
INT 0xB4 ? 8B109BF8
INT 0xB4 ? 8B109BF8
INT 0xB4 ? 8B109BF8
INT 0xB4 ? 8B109BF8
INT 0xB4 ? 8B109BF8

Code 8ADB5338 ZwFlushInstructionCache
Code 8ADB614E ZwSaveKey
Code 8ADB500E ZwSaveKeyEx
Code 8ADB665E IofCallDriver
Code 8ADB806E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EEEB8 5 Bytes JMP 8ADB6663
.text ntkrnlpa.exe!IofCompleteRequest 804EEF48 5 Bytes JMP 8ADB8073
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B51CE 5 Bytes JMP 8ADB533C
PAGE ntkrnlpa.exe!ZwSaveKey 806204F2 5 Bytes JMP 8ADB6152
PAGE ntkrnlpa.exe!ZwSaveKeyEx 80620582 5 Bytes JMP 8ADB5012
? sprq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B989262C 5 Bytes JMP 8AEA34E0
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!FindResourceExW 7C80AB10 4 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!FindResourceExW + 5 7C80AB15 2 Bytes [CC, CC] {INT 3 ; INT 3 }
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!LockResource 7C80C6CF 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!FindResourceA 7C80C7B1 7 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] kernel32.dll!FindResourceExA 7C822C2D 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ADVAPI32.dll!CryptDeriveKey 77DEA685 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ADVAPI32.dll!CryptDecrypt 77DEA7B1 2 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ADVAPI32.dll!CryptDecrypt + 3 77DEA7B4 4 Bytes [21, B0, CC, CC]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!GetWindowLongW 77D4887E 7 Bytes JMP 28006B00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!PeekMessageW 77D49278 5 Bytes JMP 280046C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 28003CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!SetWindowRgn 77D51DE0 7 Bytes JMP 28005FE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!LoadIconW 77D52174 5 Bytes JMP 28006960 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!LoadImageW 77D542A4 5 Bytes JMP 28006770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!CreateDialogParamW 77D6629F 5 Bytes JMP 28006120 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!SetWindowPlacement 77D6FBEA 5 Bytes JMP 28005EA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 28006310 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] USER32.dll!TrackPopupMenuEx 77D9CAFE 5 Bytes JMP 28004FA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WS2_32.dll!send 71AB428A 5 Bytes JMP 2800B770 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 2800B550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WS2_32.dll!recv 71AB615A 5 Bytes JMP 2800B3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 2800B950 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 2800BB90 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] SHELL32.dll!Shell_NotifyIconW 7CA37CE1 5 Bytes JMP 28003440 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ole32.dll!CoInitializeEx 774F42F3 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] ole32.dll!CoRegisterClassObject 77541BFC 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WININET.dll!HttpOpenRequestA 771C4AC5 5 Bytes JMP 2800A220 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WININET.dll!InternetCloseHandle 771C61DC 5 Bytes JMP 2800A560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WININET.dll!HttpSendRequestA 771C76B8 5 Bytes JMP 2800A490 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2100] WININET.dll!InternetReadFile 771C9555 5 Bytes JMP 2800A3B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] sprq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] sprq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] sprq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] sprq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] sprq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] sprq.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AC8F1F8
Device \FileSystem\Fastfat \FatCdrom 8B1081F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP3614 \Device\00000040 sprq.sys
Device \Driver\sptd \Device\1605346114 sprq.sys
Device \Driver\usbuhci \Device\USBPDO-0 8ADE1500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B0991F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B0991F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B0991F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B0991F8
Device \Driver\usbuhci \Device\USBPDO-1 8ADE1500
Device \Driver\usbuhci \Device\USBPDO-2 8ADE1500
Device \Driver\usbehci \Device\USBPDO-3 8AEA1500
Device \Driver\usbuhci \Device\USBPDO-4 8ADE1500

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 8ADE1500
Device \Driver\usbuhci \Device\USBPDO-6 8ADE1500
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B10A1F8
Device \Driver\usbehci \Device\USBPDO-7 8AEA1500
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B10A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-13 8B1091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-13 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-1b 8B1091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-1b AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort0 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8B1091F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort2 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort2 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort3 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort3 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort4 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort4 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort5 8B1091F8
Device \Driver\atapi \Device\Ide\IdePort5 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume4 8B10A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AD7C500
Device \Driver\sptd \Device\1605189864 sprq.sys
Device \Driver\PCI_PNP3614 \Device\0000003f sprq.sys
Device \Driver\NetBT \Device\NetbiosSmb 8AD7C500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8ADE1500
Device \Driver\usbuhci \Device\USBFDO-1 8ADE1500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AD32500
Device \Driver\usbuhci \Device\USBFDO-2 8ADE1500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AD32500
Device \Driver\usbehci \Device\USBFDO-3 8AEA1500
Device \Driver\usbuhci \Device\USBFDO-4 8ADE1500
Device \Driver\Ftdisk \Device\FtControl 8B10A1F8
Device \Driver\usbuhci \Device\USBFDO-5 8ADE1500
Device \Driver\usbuhci \Device\USBFDO-6 8ADE1500
Device \Driver\usbehci \Device\USBFDO-7 8AEA1500
Device \Driver\a2dirvtd \Device\Scsi\a2dirvtd1 8ABBE1F8
Device \Driver\afvcizdi \Device\Scsi\afvcizdi1 8ABC01F8
Device \Driver\afvcizdi \Device\Scsi\afvcizdi1 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \Driver\afvcizdi \Device\Scsi\afvcizdi1Port7Path0Target0Lun0 8ABC01F8
Device \Driver\afvcizdi \Device\Scsi\afvcizdi1Port7Path0Target0Lun0 AnyDVD.sys (Watch & copy any DVD!/SlySoft, Inc.)
Device \FileSystem\Fastfat \Fat 8B1081F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8AE582A8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gasfkyowydybmk.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [296] 0x007E0000
Library \\?\globalroot\systemroot\system32\gasfkyowydybmk.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2852] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkyjkohrlnp.sys (*** hidden *** ) [SYSTEM] gasfkywrcfjiee <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Running from: c:\documents and settings\Leonard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Leonard\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 03:57 . 2009-10-25 03:57 0 ----a-w- C:\backup.reg
2009-10-25 01:13 . 2009-10-25 01:13 -------- d-----w- C:\thcbytes20646t
2009-10-25 00:16 . 2009-10-25 00:16 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-24 23:59 . 2009-10-24 23:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TuneUp Software
2009-10-24 23:58 . 2009-10-24 23:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\TuneUp Software
2009-10-24 07:26 . 2009-10-24 07:26 -------- d-----w- C:\thcbytes29054t
2009-10-24 07:06 . 2009-10-24 07:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\AltrixSoft
2009-10-24 07:05 . 2009-10-24 07:05 -------- d-----w- c:\documents and settings\Leonard\Application Data\IObit
2009-10-24 04:52 . 2009-10-24 04:52 -------- d-----w- C:\thcbytes
2009-10-24 04:21 . 2009-10-24 04:21 -------- d-----w- c:\program files\Windows Sidebar
2009-10-24 04:06 . 2007-08-03 01:48 3974440 ----a-w- c:\windows\system32\AdvrCntr3.dll
2009-10-24 03:14 . 2009-10-25 01:53 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 03:14 . 2009-10-25 01:53 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 03:14 . 2009-10-25 01:53 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 03:14 . 2009-10-24 03:14 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 01:01 . 2009-08-26 04:04 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-10-24 00:12 . 2009-10-24 00:12 -------- d-----w- c:\program files\Driver-Soft
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\program files\AVG
2009-10-24 00:00 . 2009-10-24 00:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2009-10-23 23:18 . 2009-10-23 23:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Passware
2009-10-16 11:08 . 2009-10-16 11:08 -------- d-sh--w- c:\windows\ftpcache
2009-10-16 10:57 . 2009-10-16 10:58 -------- d-----w- c:\program files\gBurner
2009-10-12 12:11 . 2009-10-12 12:11 -------- d-----w- c:\documents and settings\Leonard\Application Data\SunODFPluginforMicrosoftOffice
2009-10-12 11:14 . 2009-10-12 11:14 -------- d-----w- c:\documents and settings\Leonard\.SunDownloadManager
2009-10-12 10:18 . 2009-10-12 10:18 -------- d-----w- c:\documents and settings\Leonard\Application Data\Red Kawa
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Geckofx
2009-10-12 10:03 . 2009-10-12 10:03 -------- d-----w- c:\program files\Red Kawa
2009-10-12 09:44 . 2004-01-24 13:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2009-10-12 09:44 . 2009-10-12 09:44 -------- d-----w- c:\program files\eRightSoft
2009-10-11 14:50 . 2009-10-11 14:50 -------- d-----w- c:\documents and settings\Leonard\Application Data\vlc
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Softonic-Eng3
2009-10-11 14:25 . 2009-10-11 14:25 -------- d-----w- c:\program files\Softonic-Eng3
2009-10-11 14:05 . 2009-10-11 14:05 -------- d-----w- c:\program files\AC3Filter
2009-10-10 06:17 . 2009-10-10 06:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iPod
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\program files\iTunes
2009-10-04 03:55 . 2009-10-04 03:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-04 03:54 . 2009-10-04 03:54 -------- d-----w- c:\program files\QuickTime
2009-10-01 09:50 . 2009-09-04 06:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-10-01 09:50 . 2009-09-04 06:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-10-01 09:50 . 2009-09-04 06:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-10-01 09:50 . 2009-09-04 06:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-29 11:03 . 2009-09-29 11:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-09-29 05:50 . 2009-09-29 05:50 -------- d-----w- c:\program files\Trend Micro
2009-09-28 09:40 . 2009-09-28 09:40 -------- d-----w- C:\iPhone Backup Switch
2009-09-28 09:40 . 2009-09-28 09:40 737280 ----a-w- c:\windows\iun6002.exe
2009-09-26 13:59 . 2009-09-26 13:59 -------- d-----w- c:\documents and settings\Leonard\Local Settings\Application Data\Apple_Inc
2009-09-26 13:58 . 2006-10-26 08:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft Works
2009-09-26 13:57 . 2009-09-26 13:57 -------- d-----w- c:\program files\Microsoft.NET
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-26 13:55 . 2009-09-26 13:55 -------- d-----w- c:\windows\SHELLNEW
2009-09-26 13:48 . 2009-09-26 13:48 -------- d-----w- c:\program files\iPhone Configuration Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 11:01 . 2009-10-08 11:01 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-09-27 07:35 . 2009-08-29 14:43 418664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-26 20:19 . 2009-08-27 09:04 75032 ----a-w- c:\documents and settings\Leonard\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 06:10 . 2009-09-25 06:10 -------- d-----w- c:\program files\SatSignal Software
2009-09-25 02:48 . 2009-09-25 02:48 -------- d-----w- c:\documents and settings\Leonard\Application Data\Nero
2009-09-25 02:47 . 2009-09-25 02:47 -------- d-----w- c:\program files\Common Files\Nero
2009-09-25 00:14 . 2009-09-25 00:14 -------- d-----w- c:\program files\Elaborate Bytes
2009-09-25 00:12 . 2009-09-25 00:12 -------- d-----w- c:\program files\SlySoft
2009-09-24 12:06 . 2009-09-24 12:06 -------- d-----w- c:\documents and settings\Leonard\Application Data\Canon
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\NewSoft
2009-09-24 11:57 . 2009-09-24 11:57 -------- d-----w- c:\program files\Common Files\PDFView
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\InstallShield
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\Leonard\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft
2009-09-24 11:56 . 2009-09-24 11:56 -------- d-----w- c:\program files\ScanSoft
2009-09-24 11:55 . 2009-09-24 11:55 -------- d-----w- c:\program files\Canon
2009-09-20 08:49 . 2009-09-20 08:49 -------- d-----w- c:\program files\ImTOO
2009-09-20 08:07 . 2009-09-20 08:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImTOO Software Studio
2009-09-20 07:29 . 2009-09-20 07:29 -------- d-----w- c:\program files\4Leaf Media Software
2009-09-18 07:07 . 2009-09-18 07:07 -------- d-----w- c:\documents and settings\Leonard\Application Data\dvdcss
2009-09-18 01:38 . 2009-09-18 01:37 -------- d-----w- c:\program files\Digiarty
2009-09-16 13:14 . 2009-09-16 13:14 -------- d-----w- c:\program files\Flash Card Manager
2009-09-16 07:14 . 2009-09-16 07:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PicShrink
2009-09-16 06:20 . 2009-09-16 06:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-15 00:03 . 2009-09-15 00:03 -------- d-----w- c:\program files\USB Vibration
2009-09-14 12:58 . 2009-09-14 12:58 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\.myibay
2009-09-06 12:58 . 2009-09-06 12:58 -------- d-----w- c:\program files\myibay
2009-09-04 12:31 . 2009-09-04 12:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-04 07:04 . 2009-09-04 07:04 -------- d-----w- c:\program files\Alcohol Soft
2009-09-04 06:59 . 2009-08-30 07:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 06:57 . 2009-09-04 06:57 -------- d-----w- c:\program files\DVD Decrypter
2009-09-04 06:44 . 2009-08-30 08:12 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-03 11:47 . 2009-09-03 11:47 -------- d-----w- c:\documents and settings\Leonard\Application Data\ViStart
2009-09-03 07:27 . 2009-09-03 07:27 -------- d-----w- c:\documents and settings\Leonard\Application Data\Braid
2009-09-02 12:32 . 2009-09-02 12:32 -------- d-----w- c:\program files\7-Zip
2009-09-02 11:09 . 2009-09-02 11:09 -------- d-----w- c:\documents and settings\Leonard\Application Data\Hamachi
2009-09-02 11:09 . 2009-09-02 11:09 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-09-01 06:10 . 2009-09-01 06:10 -------- d-----w- c:\program files\SmartClose
2009-08-31 09:10 . 2009-08-31 09:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Messenger Plus!
2009-08-30 13:17 . 2009-08-30 13:17 -------- d-----w- c:\program files\Accurate Shutdown
2009-08-30 09:57 . 2009-08-30 09:57 -------- d-----w- c:\documents and settings\Leonard\Application Data\FALCOM
2009-08-30 09:29 . 2009-08-30 09:29 -------- d-----w- c:\program files\Tansee iPhone Transfer
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\program files\uTorrent
2009-08-30 08:36 . 2009-08-30 08:36 -------- d-----w- c:\documents and settings\Leonard\Application Data\uTorrent
2009-08-30 08:30 . 2009-08-30 08:30 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-08-30 08:29 . 2009-08-30 08:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DAEMON Tools Pro
2009-08-30 08:28 . 2009-08-30 08:28 -------- d-----w- c:\documents and settings\Leonard\Application Data\DAEMON Tools Pro
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\Leonard\Application Data\Ubisoft
2009-08-30 08:13 . 2009-08-30 08:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ubisoft
2009-08-30 07:41 . 2009-08-30 07:41 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Microsoft
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-30 07:39 . 2009-08-30 07:39 -------- d-----w- c:\program files\Windows Live
2009-08-30 07:34 . 2009-08-30 07:34 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-30 07:33 . 2009-08-30 07:33 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Media Player Classic
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\Leonard\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-30 07:16 . 2009-08-30 07:16 -------- d-----w- c:\program files\Haali
2009-08-30 07:16 . 2009-08-30 07:15 -------- d-----w- c:\program files\CoreCodec
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-30 07:14 . 2009-08-30 07:14 -------- d-----w- c:\program files\Java
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\CCleaner
2009-08-30 07:13 . 2009-08-30 07:13 -------- d-----w- c:\program files\Google
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\Leonard\Application Data\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\ImgBurn
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-08-30 07:12 . 2009-08-30 07:12 -------- d-----w- c:\program files\SpywareBlaster
2009-08-30 07:11 . 2009-08-30 07:11 -------- d-----w- c:\program files\VideoLAN
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\IDM
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\documents and settings\Leonard\Application Data\DMCache
2009-08-30 07:00 . 2009-08-30 07:00 -------- d-----w- c:\program files\Internet Download Manager
2009-08-30 06:59 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\Leonard\Application Data\Apple Computer
2009-08-30 06:58 . 2009-08-30 06:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Realtek
2009-08-27 10:25 . 2009-08-27 10:25 315392 ----a-w- c:\windows\HideWin.exe
2009-08-27 10:25 . 2009-08-27 10:25 -------- d-----w- c:\program files\Intel
2009-08-27 10:23 . 2009-08-27 10:23 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-27 10:21 . 2009-08-27 10:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\ATI Technologies
2009-08-27 10:21 . 2009-08-27 10:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-27 08:21 . 2009-08-27 08:21 -------- d-----w- c:\program files\microsoft frontpage
2009-08-27 08:19 . 2009-08-27 08:19 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.22.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 04:32 . 2009-10-25 06:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-27 09:02 . 2009-10-25 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-27 09:02 . 2009-10-25 06:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-27 09:02 . 2009-10-25 01:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-25 04:32 . 2009-10-25 06:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b592e943-0cb6-482c-849e-a2311298cdfd}]
2009-09-23 00:50 2261016 ----a-w- c:\program files\Softonic-Eng3\tbSoft.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b592e943-0cb6-482c-849e-a2311298cdfd}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B592E943-0CB6-482C-849E-A2311298CDFD}"= "c:\program files\Softonic-Eng3\tbSoft.dll" [2009-09-23 2261016]

[HKEY_CLASSES_ROOT\clsid\{b592e943-0cb6-482c-849e-a2311298cdfd}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-07-20 2815408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-13 289072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ats"="c:\windows\system32\asd\loadqm.exe" [2005-08-26 659456]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2003-09-29 175616]
"GrooveMonitor"="g:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-25 2010904]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Leonard\Start Menu\Programs\Startup\
myibay eBay bid sniper.lnk - c:\program files\myibay\myibay.exe [2009-9-6 156672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-24 03:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\E:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ScanSoft OmniPage SE 4.0-reminder"="c:\program files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "c:\documents and settings\All Users.WINDOWS\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Games\\Left 4 Dead\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"g:\\Games\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"g:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Games\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45889:TCP"= 45889:TCP:asf
"45889:UDP"= 45889:UDP:sdfsdfds

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [24/10/2009 2:14 PM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [24/10/2009 2:14 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [24/10/2009 2:14 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [24/10/2009 2:14 PM 285392]
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15187&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Leonard\Application Data\Mozilla\Firefox\Profiles\qjex6qtl.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en&source=iglk
FF - component: c:\documents and settings\Leonard\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: g:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 17:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ats = c:\windows\system32\asd\loadqm.exe noshow???????????T???C?:?\?W?I?N?D?O

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-25 17:44
ComboFix-quarantined-files.txt 2009-10-25 06:44
ComboFix2.txt 2009-10-25 04:29

Pre-Run: 10,615,013,376 bytes free
Post-Run: 10,619,781,120 bytes free

- - End Of File - - 7F31552B40E89B7579086304960D9BD5

My computer still has the problems:

My local disk D was suddenly formatted, and when I try to format it, it says ; The disk in drive D cannot be formatted.

Also, the data in New volume E is no longer accessable, although it aknowledges I have used 10gbs in that drive (free space: 19.31 gbs/30.1)

GOing to system properties > startup and recovery > settings gives me a
'The C:\boot.ini can not be opened. Operating system and Timeout settings cannot be changed.

I sometimes get: The file or directory E:\ is corrupt and unreadable. Please run the Chkdsk utility. I have run chkdsk many times and this still pops up.

When I reboot, I got a 'Unhandled exception occured. Press abort to etc...

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 25 October 2009 - 09:24 AM

Very stubborn Rootkit. :)

I am hesitant to fix boot.ini while the Rootkit is still active as I am concerned that it will be deleted again. But Combofix will be safer and more effective if we can get boot.ini fixed & get the RecoveryConsole installed. Let me try to nuke the Rootkit another way.

Please do this........

Right click and delete your current copy of Combofix.

Download ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!


:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
C:\WINDOWS\system32\drivers\gasfkyjkohrlnp.sys

Driver::
gasfkywrcfjiee


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users