Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus System Pro & Security Tool infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 sweetsweetsweet

sweetsweetsweet

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 08 November 2009 - 03:35 AM

Yesterday, I managed to catch two fake anti-virus malware at the same time.
Security Tool and Antivirus System Pro. Security Tool seemed to dominate, blocking basically everything. I didnt even realize i had the Antivirus System Pro too.

I followed all the instructions in the virus removal section to remove Security Tool using rkill and malwarebytes.
I had the Security Tool with vundo. ( 2nd run-in with vundo this year... >.> )
Then I rebooted and discovered that I had Antivirus System Pro.
Again, I tried using malwarebytes, running the actual executable and not the random one from removing Security Tool.
But this time, I recieve the error "Unable to execute file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Create Process failed, code 2. The system cannot find the file specified"

The program pops up all the time and keeps opening IE and tries to open pr0n sites.
I had difficulty running both the dds tool and rootrepeal, getting the messages such as saying the file is infected, would you like to start your anti-virus now? or something along the lines of that.
I grabbed a copy of hijackthis (fluffybunny.exe) and managed to obtain a text file, which I could not open since the malware wouldnt let me run notepad.

Sometimes I can open taskmanager but sometimes I can't. I can't open registry, help center, or restore. I cant even run malwarebytes on safe mode.

I know this is really bad, but I killed the process "xtccsysguard.exe" and i think something else too, but I'm kind of afraid to restart just in case I can't run taskmanager again the next time I reboot.
Apparently, this stopped IE from trying to access pr0n and no "buy Antivirus System Pro" or fake security alert pop-ups are showing, but I can still see the program in my taskbar.
Then I tried to run dds tool (which i renamed bunny), and it worked. Unfortunately, rootrepeal (which i renamed happy) still doesnt. (I renamed the files in hopes that the malware would ignore them)

I haven't tried running malwarebytes again, since I think I'll end up with the same error message from earlier.

I am posting the DDS file from AFTER I killed xtccsysguard.exe.
I am unable to post rootrepeal files since I can't seem to run it.
I will post hijackthis files on request, apparently the system wont allow me to upload it since i used version 2.0.0. I will restart later and try running v2.02 and post if it works.

I hope someone can help me with this! Thanks~!


(dds file is from AFTER killing xtccsysguard.exe)

DDS (Ver_09-10-26.01) - NTFSx86
Run by kiwi at 23:50:12.15 on Sat 11/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1495 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
svchost.exe
C:\DOCUME~1\kiwi\LOCALS~1\Temp\cr2kbcxp9.exe
C:\DOCUME~1\kiwi\LOCALS~1\Temp\winamp.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\kiwi\Desktop\bunny.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - No File
BHO: BHO: {b6d223f6-c185-49a2-ba7e-a03e84744702} - c:\windows\system32\iehelper.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [calc] rundll32.exe c:\docume~1\kiwi\ntuser.dll,_IWMPEvents@0
uRun: [winhbt.exe] c:\docume~1\kiwi\locals~1\temp\winhbt.exe
uRun: [BackUp Windows 2009] c:\docume~1\kiwi\locals~1\temp\cr2kbcxp9.exe
uRun: [tyoucsbe] c:\documents and settings\kiwi\local settings\application data\knfyxg\xtccsysguard.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\kiwi\locals~1\temp\winamp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [tyoucsbe] c:\documents and settings\kiwi\local settings\application data\knfyxg\xtccsysguard.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\jj9OngFQB.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: kepivuve.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd gehiraso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiwi\applic~1\mozilla\firefox\profiles\bi6nuxz0.default\
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-7-24 22560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2008-7-24 2058776]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-7-24 72448]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-24 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-24 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-7-24 71961]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

=============== Created Last 30 ================

2009-11-08 07:34:16 34816 ----a-w- c:\windows\system32\drivers\happy.sys
2009-11-08 06:21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 06:21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 06:13:58 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-08 06:10:15 7680 --sha-w- c:\windows\Thumbs.db
2009-11-08 05:47:24 12032 ----a-w- c:\windows\system32\iehelper.dll
2009-11-08 05:00:11 0 d-----w- c:\docume~1\kiwi\applic~1\Malwarebytes
2009-11-08 05:00:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 04:58:00 4045544 ----a-w- C:\mbam-setup.exe
2009-11-08 04:57:55 262656 ----a-w- C:\rkill.com
2009-11-07 09:24:28 0 --sha-w- C:\-662714555
2009-11-02 01:16:43 0 d-----w- c:\docume~1\kiwi\applic~1\.BitTornado
2009-10-18 06:55:18 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-18 06:52:26 0 d-----w- c:\windows\SHELLNEW
2009-10-18 06:22:56 0 d-----w- c:\windows\system32\appmgmt
2009-10-17 09:23:25 0 d-----w- c:\windows\SQL9_KB970892_ENU

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:58:50 19791 ----a-w- c:\windows\HPHins02.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2009-08-07 09:24:33 52224 --sha-w- c:\windows\system32\hujepaka.dll
2009-08-07 09:24:33 52224 --sha-w- c:\windows\system32\kepivuve.dll
2008-07-24 22:47:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-03-22 04:36:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032120090322\index.dat

============= FINISH: 23:50:19.25 ===============

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 12 November 2009 - 10:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 13 November 2009 - 04:08 AM

Thanks for responding!
Okay, so, I havent done anything significant to this computer since the day I posted.
(I've been using my spare computer to go online and trying to keep this one off-line as much as possible)

But today, it doesnt seem like the Antivirus System PRO is showing up?! No pop-ups, no blocking my access of programs, xtccsysguard.exe isnt showing up in processes...
I'm so confused, since it has been showing up consistently every time I turned on my computer before today.
It has to still be there since 1.) I wasn't able to get rid of it and 2.) these things don't just vanish!

So, please help me figure out how to get rid of this! Thank you!


DDS (Ver_09-10-26.01) - NTFSx86
Run by kiwi at 0:51:56.23 on Fri 11/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1546 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\DOCUME~1\kiwi\LOCALS~1\Temp\cr2kbcxp9.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\DOCUME~1\kiwi\LOCALS~1\Temp\winamp.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\kiwi\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - No File
BHO: BHO: {b6d223f6-c185-49a2-ba7e-a03e84744702} - c:\windows\system32\iehelper.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [calc] rundll32.exe c:\docume~1\kiwi\ntuser.dll,_IWMPEvents@0
uRun: [winhbt.exe] c:\docume~1\kiwi\locals~1\temp\winhbt.exe
uRun: [BackUp Windows 2009] c:\docume~1\kiwi\locals~1\temp\cr2kbcxp9.exe
uRun: [tyoucsbe] c:\documents and settings\kiwi\local settings\application data\knfyxg\xtccsysguard.exe
uRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\docume~1\kiwi\locals~1\temp\winamp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [tyoucsbe] c:\documents and settings\kiwi\local settings\application data\knfyxg\xtccsysguard.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\jj9OngFQB.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [calc] rundll32.exe c:\docume~1\networ~1\ntuser.dll,_IWMPEvents@0
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: kepivuve.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd gehiraso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiwi\applic~1\mozilla\firefox\profiles\bi6nuxz0.default\
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-7-24 22560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2008-7-24 2058776]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-7-24 72448]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-24 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-24 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-7-24 71961]
S3 happy;happy;c:\windows\system32\drivers\happy.sys [2009-11-7 34816]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-11-08 07:34:16 34816 ----a-w- c:\windows\system32\drivers\happy.sys
2009-11-08 06:21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 06:21:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 06:13:58 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-08 06:10:15 7680 --sha-w- c:\windows\Thumbs.db
2009-11-08 05:47:24 12032 ----a-w- c:\windows\system32\iehelper.dll
2009-11-08 05:00:11 0 d-----w- c:\docume~1\kiwi\applic~1\Malwarebytes
2009-11-08 05:00:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-08 04:58:00 4045544 ----a-w- C:\mbam-setup.exe
2009-11-08 04:57:55 262656 ----a-w- C:\rkill.com
2009-11-07 09:24:28 0 --sha-w- C:\-662714555
2009-11-02 01:16:43 0 d-----w- c:\docume~1\kiwi\applic~1\.BitTornado
2009-10-18 06:55:18 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-18 06:52:26 0 d-----w- c:\windows\SHELLNEW
2009-10-18 06:22:56 0 d-----w- c:\windows\system32\appmgmt
2009-10-17 09:23:25 0 d-----w- c:\windows\SQL9_KB970892_ENU

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:58:50 19791 ----a-w- c:\windows\HPHins02.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-03-21 14:06:58 24064 --sha-w- c:\windows\system32\calc.dll
2009-08-07 09:24:33 52224 --sha-w- c:\windows\system32\hujepaka.dll
2009-08-07 09:24:33 52224 --sha-w- c:\windows\system32\kepivuve.dll
2008-07-24 22:47:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-03-22 04:36:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032120090322\index.dat

============= FINISH: 0:52:23.71 ===============

Attached Files



#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 13 November 2009 - 08:04 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Your still infected! :(

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Combofix.txt
* OTL.txt
* OTL Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 14 November 2009 - 06:32 PM

Uh oh, combofix won't run.

I get an error saying:

Date Error: 2009-11-14
Check your settings

But today is 11/14/2009....

Please let me know what I should try~ Thanks!

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 14 November 2009 - 10:01 PM

Right click and delete your current copy of Combofix. Pay close attention to the instructions. :(

==========

Please download exeHelper to your desktop. Don't run it yet.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

==========

Now reboot into Safe Mode.
  • This can be done tapping the F8 key as soon as you start your computer.
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option with networking support.
  • Please see here for additional details.
==========

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Exehelper log
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 17 November 2009 - 01:26 AM

I'm still getting the date error from combofix, even after running exehelperlog.

I've never seen an error like this before, so I'm kind of confused.

Please respond when you have time, thanks!

Posting the exehelperlog below:

exeHelper by Raktor
Build 20091021
Run at 22:12:11 on 11/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\calc.dll
Deleting file C:\Documents and Settings\kiwi\ntuser.dll
Deleting file C:\Documents and Settings\kiwi\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\kiwi\Start Menu\Programs\Startup\scandisk.lnk
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 17 November 2009 - 09:58 AM

Alright.

Please do this.....

Re-run RKill.

=========

Re-run Exehelper.

=========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Exehelper log
* OTL.txt
* Extra.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 20 November 2009 - 04:55 AM

Sorry for taking so long, been busy with school.

I ran everything according to your instructions. GMER didn't come up with anything at all. It said something like it didnt find any changes in the system... :(

Posted are the requested logs except the GMER one:

exeHelper by Raktor
Build 20091021
Run at 22:12:11 on 11/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\calc.dll
Deleting file C:\Documents and Settings\kiwi\ntuser.dll
Deleting file C:\Documents and Settings\kiwi\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\kiwi\Start Menu\Programs\Startup\scandisk.lnk
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091021
Run at 22:17:04 on 11/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091021
Run at 00:42:26 on 11/20/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


OTL logfile created on: 11/20/2009 12:44:06 AM - Run 1
OTL by OldTimer - Version 3.1.6.0 Folder = C:\Documents and Settings\kiwi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.79% Memory free
3.84 Gb Paging File | 3.55 Gb Available in Paging File | 92.24% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 226.88 Gb Total Space | 187.48 Gb Free Space | 82.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVILKIWI
Current User Name: kiwi
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
PRC - [2009/09/03 13:17:14 | 03,342,336 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe
PRC - [2009/02/06 02:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/02/06 02:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/06/16 17:21:36 | 02,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2008/06/16 17:21:15 | 00,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/05/21 07:57:23 | 00,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2008/05/21 07:57:23 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2008/05/21 07:57:22 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2008/05/15 16:31:00 | 00,315,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2008/05/13 17:58:46 | 00,503,808 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
PRC - [2008/04/30 18:41:12 | 00,815,104 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/04/30 18:27:12 | 01,347,584 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2008/04/30 18:20:38 | 00,901,120 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2008/04/30 18:11:20 | 01,191,936 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2008/04/30 18:10:10 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/15 16:54:42 | 00,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 16:54:40 | 00,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/25 18:04:42 | 00,217,088 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/03/25 11:53:46 | 00,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/01/11 16:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/12/06 12:39:12 | 00,576,104 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/12/06 12:39:12 | 00,264,800 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2007/06/05 21:46:52 | 00,053,776 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2007/02/05 10:22:08 | 00,546,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
PRC - [2006/02/28 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2003/12/22 07:38:42 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2003/04/01 18:20:37 | 00,012,288 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe


========== Modules (SafeList) ==========

MOD - [2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
MOD - [2009/08/07 01:24:33 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\system32\kepivuve.dll
MOD - [2009/08/07 01:24:33 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\system32\hujepaka.dll
MOD - [2008/04/14 04:42:52 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 04:41:54 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2007/12/06 09:54:44 | 00,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/06/16 17:44:37 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/06/16 17:21:36 | 02,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS)
SRV - [2008/06/16 17:21:15 | 00,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS)
SRV - [2008/04/30 18:41:12 | 00,815,104 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/04/30 18:20:38 | 00,901,120 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2008/04/30 18:10:10 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/04/15 16:54:42 | 00,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008/04/14 04:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/03/25 11:53:46 | 00,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/01/11 16:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/06 12:39:12 | 00,264,800 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/10 23:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds)
SRV - [2004/08/10 20:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs)
SRV - [2004/03/18 15:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/11/08 00:19:13 | 00,034,816 | ---- | M] () -- C:\WINDOWS\system32\drivers\happy.sys -- (happy)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/16 17:44:23 | 06,551,008 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/06/12 11:55:09 | 06,018,464 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/06/11 10:11:58 | 04,742,144 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2008/05/21 12:03:47 | 00,312,344 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/05/21 07:57:23 | 00,108,767 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/05/19 10:21:48 | 00,071,961 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SonyPI.sys -- (SPI)
DRV - [2008/05/16 11:51:10 | 00,072,448 | ---- | M] (Ricoh co.,Ltd.) -- C:\WINDOWS\system32\drivers\5U875.sys -- (5U875UVC)
DRV - [2008/05/16 11:26:52 | 00,046,592 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\risdptsk.sys -- (risdptsk)
DRV - [2008/05/16 11:13:04 | 00,285,952 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/05/16 11:07:11 | 00,244,368 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress)
DRV - [2008/05/16 10:46:20 | 00,012,672 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2008/05/16 10:46:19 | 00,990,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/05/16 10:46:19 | 00,727,808 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/05/16 10:46:19 | 00,208,256 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2008/05/09 11:07:57 | 00,022,560 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\shpf.sys -- (shpf)
DRV - [2008/05/01 11:09:34 | 00,048,896 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)
DRV - [2008/04/28 05:14:54 | 03,626,112 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 21:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/20 11:32:24 | 00,011,904 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/03/10 16:21:28 | 00,074,688 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/03/10 16:21:27 | 00,879,624 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/03/10 16:21:27 | 00,156,392 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/03/10 16:21:27 | 00,055,352 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/03/10 16:21:27 | 00,037,424 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/03/10 16:21:26 | 00,539,512 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/09/17 14:16:46 | 00,066,560 | ---- | M] (REDC) -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/09/05 15:24:00 | 00,041,216 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2007/08/16 09:28:40 | 00,047,120 | ---- | M] (UPEK Inc.) -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/01/09 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/11/07 08:32:32 | 00,166,400 | ---- | M] (Novatel Wireless Inc) -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2006/02/28 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2005/07/07 20:55:01 | 00,051,088 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2005/07/07 20:55:01 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2005/07/07 20:55:01 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2000/12/05 15:18:02 | 00,003,952 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\..\URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (America Online, Inc.)
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.15

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 01:53:38 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 23:22:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/29 15:12:32 | 00,000,000 | ---D | M]

[2009/03/21 21:17:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Extensions
[2009/03/21 21:17:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/06 19:09:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\extensions
[2009/09/03 14:26:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/21 21:16:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/29 15:12:30 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/10/29 15:12:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/10/29 15:12:30 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/29 15:12:30 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/06/13 11:59:04 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/06/13 11:59:04 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/06/13 11:59:04 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/06/13 11:59:04 | 00,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/06/13 11:59:04 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/06/13 11:59:04 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/06/13 11:59:04 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (143 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winwarepro.microsoft.com
O1 - Hosts: 91.212.127.226 winwarepro.com
O1 - Hosts: 91.212.127.226 www.winwarepro.com
O2 - BHO: (no name) - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - No CLSID value found.
O2 - BHO: (BHO) - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll ()
O2 - BHO: (no name) - {ff5e1334-ed99-468f-92e6-637a90e2640e} - C:\WINDOWS\System32\hujepaka.dll ()
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [duhowamame] File not found
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\jj9OngFQB.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (Sony Corporation)
O4 - HKLM..\Run: [tyoucsbe] C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe ()
O4 - HKLM..\Run: [VAIO Update 3] C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe (Sony Corporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\Winampa.exe ()
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [duhowamame] File not found
O4 - HKU\S-1-5-20..\Run: [duhowamame] File not found
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [BackUp Windows 2009] C:\Documents and Settings\kiwi\Local Settings\Temp\cr2kbcxp9.exe ()
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [tyoucsbe] C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe ()
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [winhbt.exe] C:\Documents and Settings\kiwi\Local Settings\Temp\winhbt.exe ()
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\Documents and Settings\kiwi\Local Settings\Temp\winamp.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 8
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (kepivuve.dll) - C:\WINDOWS\System32\kepivuve.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/24 14:18:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/20 00:41:39 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
[2009/11/16 22:17:52 | 00,000,000 | --SD | C] -- C:\thcbytes
[2009/11/14 15:17:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/14 15:16:51 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/07 23:41:07 | 01,308,216 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\kiwi\Desktop\fluffybunny.exe
[2009/11/07 23:21:01 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/11/07 23:18:37 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\kiwi\Desktop\happy.exe
[2009/11/07 22:21:55 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/07 22:21:50 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/07 22:13:58 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/11/07 21:00:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Application Data\Malwarebytes
[2009/11/07 21:00:05 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/07 21:00:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/07 20:58:00 | 04,045,544 | ---- | C] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/11/07 01:24:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg
[2009/11/01 20:55:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Desktop\193324-Intercross_Hizamazuite_Ai_wo_Chikae
[2009/11/01 17:16:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Application Data\.BitTornado
[2009/10/31 14:45:27 | 05,357,360 | ---- | C] (Design Science, Inc.) -- C:\Documents and Settings\kiwi\Desktop\MathType6.exe
[2009/10/30 22:59:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Desktop\YUI - It's all too much - Never say die
[2009/10/25 23:34:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\kiwi\Desktop\MATSCI m105
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/20 00:41:48 | 00,001,744 | -H-- | M] () -- C:\WINDOWS\System32\zodedika
[2009/11/20 00:40:42 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/20 00:40:30 | 00,176,225 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/20 00:40:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/20 00:40:24 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/20 00:40:20 | 21,440,26624 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/20 00:36:57 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\1xo0rbvi.exe
[2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
[2009/11/20 00:36:40 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\rkill.exe
[2009/11/20 00:36:35 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\rkill.com
[2009/11/18 02:29:32 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\kiwi\ntuser.dat
[2009/11/18 02:29:32 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\kiwi\ntuser.ini
[2009/11/18 02:29:23 | 04,303,736 | -H-- | M] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\IconCache.db
[2009/11/18 00:58:00 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2009/11/17 22:29:16 | 00,591,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/17 22:29:16 | 00,491,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/17 22:29:16 | 00,089,828 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/16 22:00:33 | 03,564,038 | R--- | M] () -- C:\Documents and Settings\kiwi\Desktop\thcbytes.exe
[2009/11/16 22:00:33 | 03,564,038 | ---- | M] () -- C:\Documents and Settings\kiwi\My Documents\thcbytes.exe
[2009/11/16 21:58:58 | 00,288,256 | ---- | M] () -- C:\Documents and Settings\kiwi\My Documents\exeHelper.com
[2009/11/16 21:58:58 | 00,288,256 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\exeHelper.com
[2009/11/13 00:59:39 | 00,004,076 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\Attach.zip
[2009/11/13 00:37:32 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\dds.pif
[2009/11/12 00:30:24 | 00,012,032 | ---- | M] () -- C:\WINDOWS\System32\iehelper.dll
[2009/11/08 00:19:13 | 00,034,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\happy.sys
[2009/11/07 23:06:43 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\kiwi\Desktop\happy.exe
[2009/11/07 23:06:21 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\bunny.scr
[2009/11/07 22:10:14 | 00,010,752 | ---- | M] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/07 20:18:51 | 04,045,544 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2009/11/07 20:18:33 | 00,262,656 | ---- | M] () -- C:\rkill.com
[2009/11/07 01:24:28 | 00,000,000 | -HS- | M] () -- C:\-662714555
[2009/11/07 00:52:02 | 00,001,748 | -H-- | M] () -- C:\Documents and Settings\kiwi\My Documents\Default.rdp
[2009/11/01 20:58:31 | 06,477,680 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\368659-Kazekaze_no_Hito_c01_coyomoose.rar
[2009/11/01 20:57:11 | 06,037,620 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\300931-Kazekaze no Hito v01 c02 Coyomoose.zip
[2009/11/01 20:35:17 | 81,618,910 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\193324-Intercross_Hizamazuite_Ai_wo_Chikae.rar
[2009/11/01 18:22:33 | 00,148,518 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\Untitled-1____8 copy.jpg
[2009/11/01 16:46:41 | 00,283,834 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\mfilesfpever501.zip
[2009/11/01 16:46:22 | 00,051,237 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\fpe5err.pdf
[2009/11/01 00:17:48 | 00,001,065 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2009/10/31 14:46:24 | 05,357,360 | ---- | M] (Design Science, Inc.) -- C:\Documents and Settings\kiwi\Desktop\MathType6.exe
[2009/10/30 21:33:46 | 00,058,679 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\12834_164324234194_764199194_2752776_4941392_n.jpg
[2009/10/29 16:41:12 | 00,070,832 | ---- | M] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/22 19:11:59 | 00,275,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/21 23:24:21 | 00,000,422 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/20 00:41:37 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\1xo0rbvi.exe
[2009/11/20 00:41:28 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\rkill.exe
[2009/11/20 00:41:23 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\rkill.com
[2009/11/17 22:24:40 | 21,440,26624 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/16 22:07:12 | 03,564,038 | ---- | C] () -- C:\Documents and Settings\kiwi\My Documents\thcbytes.exe
[2009/11/16 22:07:12 | 00,288,256 | ---- | C] () -- C:\Documents and Settings\kiwi\My Documents\exeHelper.com
[2009/11/16 22:07:02 | 03,564,038 | R--- | C] () -- C:\Documents and Settings\kiwi\Desktop\thcbytes.exe
[2009/11/16 22:07:02 | 00,288,256 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\exeHelper.com
[2009/11/13 00:59:39 | 00,004,076 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\Attach.zip
[2009/11/13 00:43:00 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\dds.pif
[2009/11/07 23:34:16 | 00,034,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\happy.sys
[2009/11/07 23:18:34 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\bunny.scr
[2009/11/07 21:47:24 | 00,012,032 | ---- | C] () -- C:\WINDOWS\System32\iehelper.dll
[2009/11/07 20:57:55 | 00,262,656 | ---- | C] () -- C:\rkill.com
[2009/11/07 01:24:28 | 00,000,000 | -HS- | C] () -- C:\-662714555
[2009/11/01 20:56:05 | 06,037,620 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\300931-Kazekaze no Hito v01 c02 Coyomoose.zip
[2009/11/01 20:55:52 | 06,477,680 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\368659-Kazekaze_no_Hito_c01_coyomoose.rar
[2009/11/01 20:20:25 | 81,618,910 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\193324-Intercross_Hizamazuite_Ai_wo_Chikae.rar
[2009/11/01 18:22:33 | 00,148,518 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\Untitled-1____8 copy.jpg
[2009/11/01 16:46:37 | 00,283,834 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\mfilesfpever501.zip
[2009/11/01 16:46:21 | 00,051,237 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\fpe5err.pdf
[2009/10/30 21:51:53 | 25,047,738 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\It's all too much Offshot.wmv
[2009/10/30 21:51:53 | 16,807,211 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\Never say die Offshot.wmv
[2009/10/30 21:51:51 | 37,324,366 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\It's all too much Photoshoot.avi
[2009/10/30 21:33:45 | 00,058,679 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\12834_164324234194_764199194_2752776_4941392_n.jpg
[2009/09/09 19:53:41 | 00,000,398 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/07 01:24:33 | 00,052,224 | -HS- | C] () -- C:\WINDOWS\System32\kepivuve.dll
[2009/08/07 01:24:33 | 00,052,224 | -HS- | C] () -- C:\WINDOWS\System32\hujepaka.dll
[2009/07/04 15:42:13 | 00,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2009/06/19 01:35:39 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/06/19 01:35:39 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/19 01:35:38 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/06/19 01:35:38 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/04/04 19:16:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\kiwi\Application Data\wklnhst.dat
[2009/03/24 16:08:48 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/21 21:19:22 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/21 20:41:32 | 04,303,736 | -H-- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\IconCache.db
[2009/03/21 20:41:32 | 00,070,832 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/21 20:41:32 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\fusioncache.dat
[2009/03/21 20:41:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\kiwi\Application Data\desktop.ini
[2008/07/24 17:59:52 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/24 17:09:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2008/07/24 16:49:14 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/24 16:49:14 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/24 16:49:14 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/24 16:49:14 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/24 16:49:14 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/24 16:49:14 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/24 14:48:46 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4953.dll
[2008/07/24 14:24:03 | 00,000,811 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2008/07/24 14:07:52 | 00,000,764 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/07/24 14:07:45 | 00,000,491 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/07/24 14:07:44 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/07/24 07:13:59 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/12/06 09:55:12 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/10/18 13:47:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/02/17 10:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 10:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2002/06/12 11:21:12 | 00,049,152 | R--- | C] () -- C:\WINDOWS\System32\winchip.dll
[2001/11/14 11:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/06/05 17:10:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2008/07/24 16:43:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2009/03/21 21:26:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/24 16:54:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2009/11/01 17:16:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\.BitTornado
[2009/06/11 16:22:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\InterVideo
[2009/05/22 17:03:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Leadertech
[2009/04/04 19:16:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Template
[2006/02/28 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/21 20:41:20 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 2.job
[2009/03/21 20:41:20 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 3.job
[2009/11/20 00:40:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >



OTL Extras logfile created on: 11/20/2009 12:44:06 AM - Run 1
OTL by OldTimer - Version 3.1.6.0 Folder = C:\Documents and Settings\kiwi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.79% Memory free
3.84 Gb Paging File | 3.55 Gb Available in Paging File | 92.24% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 226.88 Gb Total Space | 187.48 Gb Free Space | 82.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVILKIWI
Current User Name: kiwi
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Sony\VAIO Event Service\VESMgr.exe" = C:\Program Files\Sony\VAIO Event Service\VESMgr.exe:*:Enabled:VESMgr -- (Sony Corporation)
"C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe" = C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe:*:Enabled:RegSrvc -- (Intel® Corporation)
"C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe" = C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe:*:Enabled:ZCfgSvc -- (Intel® Corporation)
"C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" = C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe:*:Enabled:iFrmewrk -- (Intel® Corporation)
"C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" = C:\Program Files\Sony\VAIO Power Management\SPMgr.exe:*:Enabled:SPMgr -- (Sony Corporation)
"C:\WINDOWS\system32\drwtsn32.exe" = C:\WINDOWS\system32\drwtsn32.exe:*:Enabled:drwtsn32 -- (Microsoft Corporation)
"C:\Program Files\Intel\WiFi\bin\EvtEng.exe" = C:\Program Files\Intel\WiFi\bin\EvtEng.exe:*:Enabled:EvtEng -- (Intel® Corporation)
"C:\Program Files\Intel\WiFi\bin\S24EvMon.exe" = C:\Program Files\Intel\WiFi\bin\S24EvMon.exe:*:Enabled:S24EvMon -- (Intel® Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26921B2E-3E62-47F9-A514-1FC4A83BD738}" = Intel® PROSet/Wireless WiFi Software
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37FD2F04-EC91-41AE-B5AB-AFF904BF20EE}" = Mobile Broadband Drivers
"{3A23120C-CD83-4CE6-B451-C5C998052522}" = Battery Care Function
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 3
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = IntelŽ Matrix Storage Manager
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2289997-10A3-48F2-AA03-99180D761661}" = Protector Suite QL 5.6
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AC76BA86-7AD7-5760-0000-800000000003}" = Japanese Fonts Support For Adobe Reader 8
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B75A38E9-3F99-497E-A46E-625FC6D76066}" =
"{BA46CCF2-2C59-4DEB-93DC-7000B7C53B4E}" = VAIOSurveySA
"{BBFFB027-7D53-4E1B-95BC-35A2216D1D60}" = VAIO Long Battery Life Wallpaper
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{DC5A3749-4535-4EAD-842A-DDE976CC6B38}" = PS7900
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{DE2EBD6F-81B6-4E9A-B137-C11FD6790CFF}" = PSShortcutsP
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{EFE26D3B-2789-4068-A5BB-77E389FAEB98}" = PSUsage
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FC37C108-821D-4EDE-8F40-D5B497586805}" = VAIO Control Center
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe SVG Viewer" = Adobe SVG Viewer
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Search Enhancement" = Search Enhancement by AOL Search
"AOL Toolbar" = AOL Toolbar 5.0
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CNXT_MODEM_PCI_VEN_14F1&DEV_2C06&SUBSYS_104D1700" = Soft Data Fax Modem with SmartCP
"DivX Codec" = DivX Codec
"DVD Decrypter" = DVD Decrypter (Remove Only)
"EADM" = EA Download Manager
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.0
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IE7-MUI" = Windows Internet Explorer 7 Multilingual User Interface (MUI)
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{BA46CCF2-2C59-4DEB-93DC-7000B7C53B4E}" = VAIOSurveySA
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.00 Full
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Memory Stick Icon1.0" = Memory Stick Icon
"MESOL" = IntelŽ Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"mIRC" = mIRC
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel PROSet Wireless
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp (remove only)
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/17/2009 2:05:12 AM | Computer Name = EVILKIWI | Source = Application Error | ID = 1000
Description = Faulting application winhbt.exe, version 0.0.0.0, faulting module
winhbt.exe, version 0.0.0.0, fault address 0x00002b96.

Error - 11/17/2009 2:09:21 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 11/17/2009 2:09:22 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = Failed to unregister for device notifications

Error - 11/18/2009 2:24:52 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 11/18/2009 2:24:53 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = Failed to unregister for device notifications

Error - 11/18/2009 2:25:39 AM | Computer Name = EVILKIWI | Source = Application Error | ID = 1000
Description = Faulting application winhbt.exe, version 0.0.0.0, faulting module
winhbt.exe, version 0.0.0.0, fault address 0x00002b96.

Error - 11/20/2009 4:40:34 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 11/20/2009 4:40:35 AM | Computer Name = EVILKIWI | Source = LMS | ID = 2
Description = Failed to unregister for device notifications

Error - 11/20/2009 4:40:44 AM | Computer Name = EVILKIWI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 11/20/2009 4:40:55 AM | Computer Name = EVILKIWI | Source = Application Error | ID = 1000
Description = Faulting application winhbt.exe, version 0.0.0.0, faulting module
winhbt.exe, version 0.0.0.0, fault address 0x00002b96.

[ System Events ]
Error - 11/18/2009 2:25:23 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/18/2009 2:25:23 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/18/2009 2:25:23 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/20/2009 4:40:34 AM | Computer Name = EVILKIWI | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 11/20/2009 4:40:35 AM | Computer Name = EVILKIWI | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 11/20/2009 4:40:46 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/20/2009 4:40:47 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/20/2009 4:40:47 AM | Computer Name = EVILKIWI | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/20/2009 4:41:42 AM | Computer Name = EVILKIWI | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/20/2009 4:41:42 AM | Computer Name = EVILKIWI | Source = Service Control Manager | ID = 7034
Description = The Pml Driver HPZ12 service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 20 November 2009 - 07:34 AM

Hi there,



We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    MOD - [2009/08/07 01:24:33 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\system32\kepivuve.dll
    MOD - [2009/08/07 01:24:33 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\system32\hujepaka.dll
    DRV - [2009/11/08 00:19:13 | 00,034,816 | ---- | M] () -- C:\WINDOWS\system32\drivers\happy.sys -- (happy)
    O1 - Hosts: 91.212.127.226 winwarepro.microsoft.com
    O1 - Hosts: 91.212.127.226 winwarepro.com
    O1 - Hosts: 91.212.127.226 www.winwarepro.com
    O2 - BHO: (no name) - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - No CLSID value found.
    O2 - BHO: (BHO) - {B6D223F6-C185-49a2-BA7E-A03E84744702} - C:\WINDOWS\system32\iehelper.dll ()
    O2 - BHO: (no name) - {ff5e1334-ed99-468f-92e6-637a90e2640e} - C:\WINDOWS\System32\hujepaka.dll ()
    O4 - HKLM..\Run: [duhowamame] File not found
    O4 - HKU\S-1-5-19..\Run: [duhowamame] File not found
    O4 - HKU\S-1-5-20..\Run: [duhowamame] File not found
    O4 - HKLM..\Run: [tyoucsbe] C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe ()
    O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [BackUp Windows 2009] C:\Documents and Settings\kiwi\Local Settings\Temp\cr2kbcxp9.exe ()
    O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [tyoucsbe] C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe ()
    O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [winhbt.exe] C:\Documents and Settings\kiwi\Local Settings\Temp\winhbt.exe ()
    O20 - AppInit_DLLs: (kepivuve.dll) - C:\WINDOWS\System32\kepivuve.dll ()
    [2009/11/07 23:18:37 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\kiwi\Desktop\happy.exe
    [2009/11/20 00:41:48 | 00,001,744 | -H-- | M] () -- C:\WINDOWS\System32\zodedika
    
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=0
    "UpdatesDisableNotify"=0
    
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
==========

Right click and delete your current copy of Combofix.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

I need to see that Gmer log please. Re-run it if necessary.

==========

We need to create an OTL Quick Scan
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here
==========

With your next post please provide:

* OTL fix log
* Combofix.txt
* Gmer log
* OTL log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 22 November 2009 - 06:08 AM

Okay, I followed your instructions starting from the top.
At the first step, after running the OTL fix, and on restart, Security Tool showed up and desktop vanished. (I thought that thing was gone! Apparently not)
So, I ran rkill before running combofix.
Then I ran GMER and OTL quick scan.

Posted below are the requested logs in the order requested:

OTL fix log:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Service happy stopped successfully!
Service happy deleted successfully!
C:\WINDOWS\system32\drivers\happy.sys moved successfully.
91.212.127.226 winwarepro.microsoft.com removed from HOSTS file successfully
91.212.127.226 winwarepro.com removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A45A4B15-23F2-42AD-F4E4-00AAC39C0004}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A45A4B15-23F2-42AD-F4E4-00AAC39C0004}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6D223F6-C185-49a2-BA7E-A03E84744702}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6D223F6-C185-49a2-BA7E-A03E84744702}\ deleted successfully.
C:\WINDOWS\system32\iehelper.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff5e1334-ed99-468f-92e6-637a90e2640e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff5e1334-ed99-468f-92e6-637a90e2640e}\ deleted successfully.
C:\WINDOWS\system32\hujepaka.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\duhowamame deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\duhowamame deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\duhowamame deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tyoucsbe deleted successfully.
C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Microsoft\Windows\CurrentVersion\Run\\BackUp Windows 2009 deleted successfully.
C:\Documents and Settings\kiwi\Local Settings\Temp\cr2kbcxp9.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Microsoft\Windows\CurrentVersion\Run\\tyoucsbe deleted successfully.
File C:\Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe not found.
Registry value HKEY_USERS\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Microsoft\Windows\CurrentVersion\Run\\winhbt.exe deleted successfully.
C:\Documents and Settings\kiwi\Local Settings\Temp\winhbt.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:kepivuve.dll deleted successfully.
C:\WINDOWS\system32\kepivuve.dll moved successfully.
C:\Documents and Settings\kiwi\Desktop\happy.exe moved successfully.
C:\WINDOWS\system32\zodedika moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirstRunDisabled"|0 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"UpdatesDisableNotify"|0 /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 622592 bytes
->Temporary Internet Files folder emptied: 150183 bytes
->FireFox cache emptied: 2922591 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Guest
->Temp folder emptied: 888 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 2919910 bytes

User: kiwi
->Temp folder emptied: 192964929 bytes
->Temporary Internet Files folder emptied: 448858363 bytes
->Java cache emptied: 661585 bytes
->FireFox cache emptied: 55257500 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 27049764 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23937464 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 8183536 bytes

Total Files Cleaned = 728.32 mb


OTL by OldTimer - Version 3.1.6.0 log created on 11222009_015146

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Combofix.txt:

ComboFix 09-11-21.02 - kiwi 11/22/2009 2:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1504 [GMT -8:00]
Running from: c:\documents and settings\kiwi\Desktop\thecbytes.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\95512729
c:\documents and settings\All Users\Application Data\95512729\95512729.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\kiwi\Desktop\Security Tool.lnk
c:\documents and settings\kiwi\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\recycler\S-1-5-21-1817405557-145952931-3195567185-500
c:\recycler\S-1-5-21-2603704638-2461700223-2185901186-500
c:\recycler\S-1-5-21-57989841-839522115-1434160451-500
c:\recycler\S-1-5-21-725638185-3846407652-1023387328-500
c:\windows\setup.exe
c:\windows\system32\nedoyita.dll
c:\windows\system32\nehakite.exe
c:\windows\system32\nirotona.dll
c:\windows\system32\surosubo.exe
c:\windows\system32\viwawobi.exe
c:\windows\system32\yosutihe.exe
c:\windows\system32\yusawafa.dll

----- BITS: Possible infected sites -----

hxxp://81.222.236.97
.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 09:51 . 2009-11-22 09:51 -------- d-----w- C:\_OTL
2009-11-08 07:22 . 2009-11-08 07:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-11-08 06:26 . 2009-11-08 06:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-08 06:21 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 06:21 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 06:13 . 2009-11-08 06:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\documents and settings\kiwi\Application Data\Malwarebytes
2009-11-08 05:00 . 2009-11-08 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 04:58 . 2009-11-08 04:18 4045544 ----a-w- C:\mbam-setup.exe
2009-11-08 04:57 . 2009-11-08 04:18 262656 ----a-w- C:\rkill.com
2009-11-07 09:24 . 2009-11-22 09:51 -------- d-----w- c:\documents and settings\kiwi\Local Settings\Application Data\knfyxg
2009-11-02 01:16 . 2009-11-02 01:16 -------- d-----w- c:\documents and settings\kiwi\Application Data\.BitTornado
2009-10-29 19:22 . 2009-10-29 19:22 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 06:58 . 2009-06-28 08:23 -------- d-----w- c:\program files\mIRC
2009-10-30 00:41 . 2009-03-22 04:41 70832 ----a-w- c:\documents and settings\kiwi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 19:20 . 2009-10-29 19:20 70832 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 03:12 . 2008-07-25 00:56 70832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 07:26 . 2008-07-25 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-18 08:51 . 2009-10-18 08:51 162112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-18 06:22 . 2008-07-25 00:59 -------- d-----w- c:\program files\Microsoft Small Business
2009-10-17 09:23 . 2008-07-25 00:57 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-11 14:18 . 2008-07-24 22:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:58 . 2009-09-10 03:53 19791 ----a-w- c:\windows\HPHins02.dat
2009-09-10 03:58 . 2009-09-10 03:58 45056 ----a-r- c:\documents and settings\kiwi\Application Data\Microsoft\Installer\{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2009-09-04 21:03 . 2008-07-24 22:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-07-24 22:07 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-07-24 22:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-07-24 22:07 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-07-24 22:07 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 09:52 . 2009-08-22 09:52 52224 --sha-w- c:\windows\system32\nivunaso.exe
2009-08-22 09:52 . 2009-08-22 09:52 45056 --sha-w- c:\windows\system32\wemafuni.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2004-04-27 61440]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-17 13529088]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-05-21 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-12 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-12 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-12 141848]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-01 1347584]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-17 367128]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-02-05 546936]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2003-04-02 12288]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\jj9OngFQB.exe" [2009-11-08 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-9 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 06:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=
"c:\\Program Files\\Common Files\\Intel\\WirelessCommon\\RegSrvc.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\ZCfgSvc.exe"=
"c:\\Program Files\\Common Files\\Intel\\WirelessCommon\\iFrmewrk.exe"=
"c:\\Program Files\\Sony\\VAIO Power Management\\SPMgr.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\S24EvMon.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/24/2008 2:32 PM 22560]
R2 UNS;IntelŽ Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [7/24/2008 4:38 PM 2058776]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/24/2008 2:08 PM 72448]
R3 e1yexpress;IntelŽ Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [7/24/2008 2:08 PM 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/24/2008 2:08 PM 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/24/2008 2:08 PM 71961]
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2009-09-10 04:55]

2009-03-22 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-24 12:42]

2009-03-22 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-24 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {675E69CB-FFB0-43D7-811F-758F2E32F612} = 77.74.48.113
TCP: {92C59818-9FB9-4A69-B1DC-088D62C50A42} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-95512729 - c:\docume~1\ALLUSE~1\APPLIC~1\95512729\95512729.exe
AddRemove-HijackThis - c:\documents and settings\kiwi\Desktop\HijackThis.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 02:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\WIDCOMM\Bluetooth Software\btkeyind.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-22 02:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 10:14

Pre-Run: 202,017,837,056 bytes free
Post-Run: 201,884,585,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6136541C142E68D022226A0E80DD69FA


Gmer log:

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-22 03:00:48
Windows 5.1.2600 Service Pack 3
Running: 1xo0rbvi.exe; Driver: C:\DOCUME~1\kiwi\LOCALS~1\Temp\uxtiapod.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\thecbytes\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----


OTL log:

OTL logfile created on: 11/22/2009 3:01:44 AM - Run 2
OTL by OldTimer - Version 3.1.6.0 Folder = C:\Documents and Settings\kiwi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.72% Memory free
3.84 Gb Paging File | 3.45 Gb Available in Paging File | 89.83% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 226.88 Gb Total Space | 188.02 Gb Free Space | 82.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EVILKIWI
Current User Name: kiwi
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
PRC - [2009/09/03 13:17:14 | 03,342,336 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe
PRC - [2009/02/06 02:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/02/06 02:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/06/16 17:44:37 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/06/16 17:21:36 | 02,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
PRC - [2008/06/16 17:21:15 | 00,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2008/05/21 07:57:23 | 00,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2008/05/21 07:57:23 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2008/05/21 07:57:22 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2008/05/15 16:31:00 | 00,315,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2008/05/13 17:58:46 | 00,503,808 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
PRC - [2008/04/30 18:41:12 | 00,815,104 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/04/30 18:27:12 | 01,347,584 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2008/04/30 18:20:38 | 00,901,120 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2008/04/30 18:11:20 | 01,191,936 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2008/04/30 18:10:10 | 00,466,944 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/15 16:54:42 | 00,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 16:54:40 | 00,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/04/14 04:42:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/25 18:04:42 | 00,217,088 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2008/03/25 11:53:46 | 00,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2008/01/11 16:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/12/06 12:39:12 | 00,576,104 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/12/06 12:39:12 | 00,264,800 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2007/06/05 21:46:52 | 00,053,776 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2007/02/05 10:22:08 | 00,546,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
PRC - [2006/02/28 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2005/07/07 20:55:00 | 00,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
PRC - [2004/03/18 15:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2003/12/22 07:38:42 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2003/12/05 14:41:44 | 00,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe


========== Modules (SafeList) ==========

MOD - [2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
MOD - [2008/04/14 04:42:52 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 04:41:54 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2007/12/06 09:54:44 | 00,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/06/16 17:44:37 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/06/16 17:21:36 | 02,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS)
SRV - [2008/06/16 17:21:15 | 00,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS)
SRV - [2008/04/30 18:41:12 | 00,815,104 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/04/30 18:20:38 | 00,901,120 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2008/04/30 18:10:10 | 00,466,944 | ---- | M] (IntelŽ Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/04/15 16:54:42 | 00,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008/04/14 04:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/03/25 11:53:46 | 00,176,128 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/01/11 16:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/12/06 12:39:12 | 00,264,800 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/10 23:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds)
SRV - [2004/08/10 20:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs)
SRV - [2004/03/18 15:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\..\URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll (America Online, Inc.)
IE - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.15

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 01:53:38 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/07 23:22:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/29 15:12:32 | 00,000,000 | ---D | M]

[2009/03/21 21:17:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Extensions
[2009/03/21 21:17:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/06 19:09:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\extensions
[2009/09/03 14:26:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/21 21:16:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/29 15:12:30 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/10/29 15:12:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/10/29 15:12:30 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/29 15:12:30 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/06/13 11:59:04 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/06/13 11:59:04 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/06/13 11:59:04 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/06/13 11:59:04 | 00,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/06/13 11:59:04 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/06/13 11:59:04 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/06/13 11:59:04 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (IntelŽ Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (IntelŽ Corporation)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\jj9OngFQB.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (Sony Corporation)
O4 - HKLM..\Run: [VAIO Update 3] C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe (Sony Corporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\Winampa.exe ()
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl File not found
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2401620803-1517409742-3996451041-1008_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 63.204.233.2 63.204.233.5
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\system32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/24 14:18:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/11/22 02:15:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/11/22 02:14:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/22 02:03:53 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/22 02:02:22 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/22 02:02:22 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/22 02:02:22 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/22 02:02:22 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/22 01:51:46 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/11/20 00:41:39 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
[2009/11/14 15:17:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/14 15:16:51 | 00,000,000 | ---D | C] -- C:\Qoobox

========== Files - Modified Within 14 Days ==========

[2009/11/22 02:15:01 | 00,591,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/22 02:15:01 | 00,491,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/22 02:15:01 | 00,089,828 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/22 02:11:00 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/22 02:10:04 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/22 02:09:58 | 00,176,225 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/22 02:09:56 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/22 02:09:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/22 02:09:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/22 02:09:41 | 21,440,26624 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/22 02:08:30 | 04,718,592 | ---- | M] () -- C:\Documents and Settings\kiwi\ntuser.dat
[2009/11/22 02:08:30 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\kiwi\ntuser.ini
[2009/11/22 02:03:56 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/11/22 02:01:49 | 03,572,714 | R--- | M] () -- C:\Documents and Settings\kiwi\Desktop\thecbytes.exe
[2009/11/22 01:55:10 | 00,001,744 | -H-- | M] () -- C:\WINDOWS\System32\zodedika
[2009/11/20 01:56:40 | 04,304,278 | -H-- | M] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\IconCache.db
[2009/11/20 00:58:00 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2009/11/20 00:36:57 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\1xo0rbvi.exe
[2009/11/20 00:36:50 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kiwi\Desktop\OTL.exe
[2009/11/20 00:36:40 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\rkill.exe
[2009/11/20 00:36:35 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\rkill.com
[2009/11/16 22:00:33 | 03,564,038 | ---- | M] () -- C:\Documents and Settings\kiwi\My Documents\thcbytes.exe
[2009/11/16 21:58:58 | 00,288,256 | ---- | M] () -- C:\Documents and Settings\kiwi\My Documents\exeHelper.com
[2009/11/16 21:58:58 | 00,288,256 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\exeHelper.com
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/13 00:59:39 | 00,004,076 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\Attach.zip
[2009/11/13 00:37:32 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\kiwi\Desktop\dds.pif

========== Files Created - No Company Name ==========

[2009/11/22 02:03:56 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/22 02:03:53 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/22 02:02:22 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/22 02:02:22 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/22 02:02:22 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/22 02:02:22 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/22 02:02:22 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/22 02:01:24 | 03,572,714 | R--- | C] () -- C:\Documents and Settings\kiwi\Desktop\thecbytes.exe
[2009/11/22 01:52:14 | 00,001,744 | -H-- | C] () -- C:\WINDOWS\System32\zodedika
[2009/11/20 00:41:37 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\1xo0rbvi.exe
[2009/11/20 00:41:28 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\rkill.exe
[2009/11/20 00:41:23 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\rkill.com
[2009/11/17 22:24:40 | 21,440,26624 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/16 22:07:12 | 03,564,038 | ---- | C] () -- C:\Documents and Settings\kiwi\My Documents\thcbytes.exe
[2009/11/16 22:07:12 | 00,288,256 | ---- | C] () -- C:\Documents and Settings\kiwi\My Documents\exeHelper.com
[2009/11/16 22:07:02 | 00,288,256 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\exeHelper.com
[2009/11/13 00:59:39 | 00,004,076 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\Attach.zip
[2009/11/13 00:43:00 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\kiwi\Desktop\dds.pif
[2009/09/09 19:53:41 | 00,000,398 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/22 01:52:15 | 00,045,056 | -HS- | C] () -- C:\WINDOWS\System32\wemafuni.dll
[2009/07/04 15:42:13 | 00,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2009/06/19 01:35:39 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/06/19 01:35:39 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/19 01:35:38 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/06/19 01:35:38 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/04/04 19:16:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\kiwi\Application Data\wklnhst.dat
[2009/03/24 16:08:48 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/21 21:19:22 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/21 20:41:32 | 04,304,278 | -H-- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\IconCache.db
[2009/03/21 20:41:32 | 00,070,832 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/03/21 20:41:32 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\kiwi\Local Settings\Application Data\fusioncache.dat
[2009/03/21 20:41:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\kiwi\Application Data\desktop.ini
[2008/07/24 17:59:52 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/07/24 17:09:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2008/07/24 16:49:14 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/07/24 16:49:14 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/07/24 16:49:14 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/07/24 16:49:14 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/07/24 16:49:14 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/07/24 16:49:14 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/07/24 14:48:46 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4953.dll
[2008/07/24 14:24:03 | 00,000,811 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2008/07/24 14:07:52 | 00,000,764 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/07/24 14:07:45 | 00,000,491 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/07/24 14:07:44 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/07/24 07:13:59 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/12/06 09:55:12 | 02,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/10/18 13:47:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/02/17 10:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 10:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2002/06/12 11:21:12 | 00,049,152 | R--- | C] () -- C:\WINDOWS\System32\winchip.dll
[2001/11/14 11:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/06/05 17:10:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2008/07/24 16:43:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2009/03/21 21:26:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/24 16:54:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2009/11/01 17:16:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\.BitTornado
[2009/06/11 16:22:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\InterVideo
[2009/05/22 17:03:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Leadertech
[2009/04/04 19:16:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\kiwi\Application Data\Template
[2006/02/28 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/21 20:41:20 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 2.job
[2009/03/21 20:41:20 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 3.job
[2009/11/22 02:09:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

Edited by sweetsweetsweet, 22 November 2009 - 06:12 AM.


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 22 November 2009 - 11:51 AM

Progress! :(

==========

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\kiwi\Local Settings\Application Data\knfyxg
c:\documents and settings\kiwi\Application Data\.BitTornado
c:\windows\system32\nivunaso.exe
c:\windows\system32\wemafuni.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Install AVG free antivirus
  • Visit http://free.avg.com/download?prd=afe to download AVG Free setup file to your desktop.
  • Double click the downloaded setup file to Install AVG Free then update it.
  • On the left side click Computer scanner and select Scan whole computer.
  • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
  • Select File Type: All files Name:scan.txt and save it on your desktop.
  • Under Warnings tap press Remove all unhealed infections. Then close the application.
  • Copy/paste the content of scan.txt located on your desktop to your reply.
==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Re- run DDS and post a log.

==========

With your next post please provide:

* Combofix.txt
* AVG log
* MBAM log
* DDS log
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 22 November 2009 - 11:44 PM

Hi!

So I ran everything according to your instructions. MBAM wouldn't download the updates automatically, so I just updated manually.

This computer seems to be mostly normal now...
Other than that some settings aren't exactly the same as they used to be, like folder settings are no longer the same, seems to have reverted to default.
Old restore points in System Restore are all completely gone, not unexpected though.
No longer getting any weird error messages on start-up, which is good.


Posted below are the requested logs:

Combofix.txt

ComboFix 09-11-22.02 - kiwi 11/22/2009 15:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1454 [GMT -8:00]
Running from: c:\documents and settings\kiwi\Desktop\thecbytes.exe
Command switches used :: c:\documents and settings\kiwi\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\kiwi\Application Data\.BitTornado"
"c:\documents and settings\kiwi\Local Settings\Application Data\knfyxg"
"c:\windows\system32\nivunaso.exe"
"c:\windows\system32\wemafuni.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nivunaso.exe
c:\windows\system32\wemafuni.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 22:59 . 2009-11-22 22:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-22 22:58 . 2009-11-22 22:58 -------- d-----w- c:\program files\Java
2009-11-22 09:51 . 2009-11-22 09:51 -------- d-----w- C:\_OTL
2009-11-08 07:22 . 2009-11-08 07:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-11-08 06:26 . 2009-11-08 06:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-08 06:21 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 06:21 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 06:13 . 2009-11-08 06:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\documents and settings\kiwi\Application Data\Malwarebytes
2009-11-08 05:00 . 2009-11-08 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 05:00 . 2009-11-08 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 04:58 . 2009-11-08 04:18 4045544 ----a-w- C:\mbam-setup.exe
2009-11-08 04:57 . 2009-11-08 04:18 262656 ----a-w- C:\rkill.com
2009-11-07 09:24 . 2009-11-22 09:51 -------- d-----w- c:\documents and settings\kiwi\Local Settings\Application Data\knfyxg
2009-11-02 01:16 . 2009-11-02 01:16 -------- d-----w- c:\documents and settings\kiwi\Application Data\.BitTornado
2009-10-29 19:22 . 2009-10-29 19:22 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 11:00 . 2008-07-25 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-31 06:58 . 2009-06-28 08:23 -------- d-----w- c:\program files\mIRC
2009-10-30 00:41 . 2009-03-22 04:41 70832 ----a-w- c:\documents and settings\kiwi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 19:20 . 2009-10-29 19:20 70832 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-23 03:12 . 2008-07-25 00:56 70832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-18 08:51 . 2009-10-18 08:51 162112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-18 06:22 . 2008-07-25 00:59 -------- d-----w- c:\program files\Microsoft Small Business
2009-10-17 09:23 . 2008-07-25 00:57 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-11 14:18 . 2008-07-24 22:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:58 . 2009-09-10 03:53 19791 ----a-w- c:\windows\HPHins02.dat
2009-09-10 03:58 . 2009-09-10 03:58 45056 ----a-r- c:\documents and settings\kiwi\Application Data\Microsoft\Installer\{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2009-09-04 21:03 . 2008-07-24 22:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2008-07-24 22:07 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-07-24 22:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-07-24 22:07 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-07-24 22:07 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-22_10.10.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-24 23:06 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-07-24 23:06 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2008-07-24 22:07 . 2009-11-22 10:01 89828 c:\windows\system32\perfc009.dat
+ 2008-07-24 22:07 . 2009-11-22 22:00 89828 c:\windows\system32\perfc009.dat
+ 2009-10-18 06:55 . 2009-11-22 11:00 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-11-22 11:00 . 2009-11-22 11:00 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-10-22 07:26 . 2009-10-22 07:26 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-07-24 22:07 . 2009-11-22 10:01 491304 c:\windows\system32\perfh009.dat
+ 2008-07-24 22:07 . 2009-11-22 22:00 491304 c:\windows\system32\perfh009.dat
+ 2009-11-22 22:59 . 2009-11-22 22:58 149280 c:\windows\system32\javaws.exe
+ 2009-11-22 22:59 . 2009-11-22 22:58 145184 c:\windows\system32\javaw.exe
+ 2009-11-22 22:59 . 2009-11-22 22:58 145184 c:\windows\system32\java.exe
+ 2008-07-24 15:13 . 2009-11-22 21:29 275760 c:\windows\system32\FNTCACHE.DAT
- 2008-07-24 15:13 . 2009-10-23 03:11 275760 c:\windows\system32\FNTCACHE.DAT
- 2009-10-18 06:55 . 2009-10-22 07:26 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-18 06:55 . 2009-10-22 07:26 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-07-24 22:07 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2009-02-09 11:13 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2009-11-22 22:58 . 2009-11-22 22:58 1757696 c:\windows\Installer\517ed9.msi
+ 2009-08-18 20:58 . 2009-08-18 20:58 8301056 c:\windows\Installer\2ea912.msp
+ 2009-08-18 20:57 . 2009-08-18 20:57 9122304 c:\windows\Installer\2ea901.msp
- 2009-10-18 06:55 . 2009-10-22 07:26 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-18 06:55 . 2009-11-22 11:00 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2004-04-27 61440]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-03-23 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-17 13529088]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-05-21 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-12 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-12 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-12 141848]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-05-01 1347584]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-17 367128]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]
"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-02-05 546936]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2003-04-02 12288]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\jj9OngFQB.exe" [2009-11-08 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-22 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-9 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-6 576104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 06:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=
"c:\\Program Files\\Common Files\\Intel\\WirelessCommon\\RegSrvc.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\ZCfgSvc.exe"=
"c:\\Program Files\\Common Files\\Intel\\WirelessCommon\\iFrmewrk.exe"=
"c:\\Program Files\\Sony\\VAIO Power Management\\SPMgr.exe"=
"c:\\WINDOWS\\system32\\drwtsn32.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\WiFi\\bin\\S24EvMon.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/24/2008 2:32 PM 22560]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [7/24/2008 4:38 PM 2058776]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/24/2008 2:08 PM 72448]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [7/24/2008 2:08 PM 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/24/2008 2:08 PM 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [7/24/2008 2:08 PM 71961]
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2009-09-10 04:55]

2009-03-22 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-24 12:42]

2009-03-22 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-07-24 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {675E69CB-FFB0-43D7-811F-758F2E32F612} = 77.74.48.113
TCP: {92C59818-9FB9-4A69-B1DC-088D62C50A42} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 15:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll
c:\program files\Protector Suite QL\crypto.dll
.
Completion time: 2009-11-22 15:15
ComboFix-quarantined-files.txt 2009-11-22 23:15

Pre-Run: 201,737,854,976 bytes free
Post-Run: 201,682,132,992 bytes free

- - End Of File - - 8928675A2A173B48B13728001C1B7BE7


AVG log

"Scan ""Scan whole computer"" was finished."
"Infections";"5";"5";"0"
"Spyware";"1";"1";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Sunday, November 22, 2009, 3:44:47 PM"
"Scan finished:";"Sunday, November 22, 2009, 4:39:36 PM (54 minute(s) 48 second(s))"
"Total object scanned:";"403164"
"User who launched the scan:";"kiwi"

"Infections"
"File";"Infection";"Result"
"C:\_OTL\MovedFiles\11222009_015146\C_Documents and Settings\kiwi\Local Settings\Temp\cr2kbcxp9.exe";"Trojan horse SHeur2.BQFZ";"Moved to Virus Vault"
"C:\_OTL\MovedFiles\11222009_015146\C_WINDOWS\system32\hujepaka.dll";"Trojan horse SHeur2.BQDU";"Moved to Virus Vault"
"C:\_OTL\MovedFiles\11222009_015146\C_WINDOWS\system32\iehelper.dll";"Trojan horse BHO.JEW";"Moved to Virus Vault"
"C:\_OTL\MovedFiles\11222009_015146\C_WINDOWS\system32\kepivuve.dll";"Trojan horse SHeur2.BQDU";"Moved to Virus Vault"
"C:\System Volume Information\_restore{17178351-D654-426B-8052-48DF88E5CFB7}\RP1\A0000027.dll";"Trojan horse FakeAlert.NK";"Moved to Virus Vault"

"Spyware"
"File";"Infection";"Result"
"C:\_OTL\MovedFiles\11222009_015146\C_Documents and Settings\kiwi\Local Settings\Application Data\knfyxg\xtccsysguard.exe";"Potentially harmful program Fake_AntiSpyware.DXP";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite";"Found Tracking cookie.Adbrite";"Healed"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\247realmedia.com.125a868c";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.19fe7134";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\247realmedia.com.d90d45cf";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.1a6a6c0d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.1fd519eb";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.2416e176";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.253330d2";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.26d737de";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.37588d03";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.421018d1";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.47e3ae";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.4fbaf5a1";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.2623be10";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.29c43642";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.3f08ebd";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.4207d880";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.58f5b4c5";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.5cde5aaf";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.641bce1b";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.697706d6";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.6abc2240";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.715b4aa2";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.7fcfd861";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.8ef78733";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.8fc88f10";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.9a95c5ee";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.a577e925";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.afd227a5";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.c4feb5ce";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.c7274d13";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.cb19198d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.d15282b8";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.87f47d84";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.904ea7ca";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.9bbee8a7";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.a38c551a";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.a4061a69";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.a698612e";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.ae912154";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.cea97249";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.d4f5e3ab";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.daeb3377";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.eb284990";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.f2bad1d";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.f622318e";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\2o7.net.f35a3786";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\ad.yieldmanager.com.24368531";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adopt.euroclick.com.891542da";"Found Tracking cookie.Euroclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.7ae8f949";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adviva.net.39ec90c";"Found Tracking cookie.Adviva";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adviva.net.85256b16";"Found Tracking cookie.Adviva";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\atdmt.com.f4b86dca";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\burstbeacon.com.c4fe2ebb";"Found Tracking cookie.Burstbeacon";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\burstnet.com.27341d57";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.12e6c053";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\burstnet.com.a3218a37";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\mediaplex.com.323e9a10";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.122bd7a6";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.a5a8b88c";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.b456e21f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.b9b08de6";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.8dd1284a";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.94ca190b";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.9b41aa53";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.6fd479aa";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\media.adrevolver.com.7fd89687";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.68087763";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.4a124674";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.4fdfee8f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.738d89d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.80477c7f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.9890547d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\overture.com.8e32a996";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\overture.com.d727de6f";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.2dece335";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.a64c3767";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.2d5fb3a5";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.6215368c";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.7f719fa1";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.80ab30e9";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.63cb6cf0";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.7362fcc3";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.8642c85d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.a5874ce1";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.d7f89994";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.e06cb90c";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.e9b51fc6";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.f5f26334";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.f7ac007f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.fb487293";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tradedoubler.com.dc3c9994";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tradedoubler.com.eab0972e";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tradedoubler.com.ef90aa95";"Found Tracking cookie.Tradedoubler";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.37644bdb";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fortunecity.com.13a6979d";"Found Tracking cookie.Fortunecity";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fortunecity.com.99c35e71";"Found Tracking cookie.Fortunecity";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fortunecity.com.ce59db3e";"Found Tracking cookie.Fortunecity";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\questionmarket.com.a3db850a";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\questionmarket.com.d4dcb59c";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.27e60b8d";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.9edcdb07";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\revsci.net.f3475212";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.57ea0da5";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.ae53b8b";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.e2e71e33";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.14a38114";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.f462b69f";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.6a4b36ab";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.f1d14556";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Application Data\Mozilla\Firefox\Profiles\bi6nuxz0.default\cookies.sqlite:\zedo.com.ff8ec9c0";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@247realmedia[1].txt";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@247realmedia[1].txt:\247realmedia.com.125a868c";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@247realmedia[1].txt:\247realmedia.com.855b46d";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@247realmedia[1].txt:\247realmedia.com.b71b16cc";"Found Tracking cookie.247realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@2o7[1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@2o7[1].txt:\2o7.net.52552b50";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@2o7[1].txt:\2o7.net.8f4a3ad4";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@2o7[1].txt:\2o7.net.bab0b6da";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.830b6f08";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.cf5393df";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@admarketplace[1].txt";"Found Tracking cookie.Admarketplace";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@admarketplace[1].txt:\admarketplace.net.61a250a";"Found Tracking cookie.Admarketplace";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@adrevolver[2].txt";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@adrevolver[2].txt:\adrevolver.com.9b9d670a";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@adrevolver[2].txt:\adrevolver.com.f6cfcad4";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@atdmt[2].txt";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@atdmt[2].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@atdmt[2].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@atdmt[2].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@atdmt[2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@bluestreak[1].txt";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@bluestreak[1].txt:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@burstbeacon[1].txt";"Found Tracking cookie.Burstbeacon";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@burstbeacon[1].txt:\burstbeacon.com.c4fe2ebb";"Found Tracking cookie.Burstbeacon";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@burstnet[1].txt";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@burstnet[1].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@casalemedia[1].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@doubleclick[1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@fastclick[2].txt";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@fastclick[2].txt:\fastclick.net.57e8da10";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@fastclick[2].txt:\fastclick.net.8a6435e9";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@fastclick[2].txt:\fastclick.net.fac3d6f0";"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@media.adrevolver[2].txt";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@media.adrevolver[2].txt:\media.adrevolver.com.5fed601d";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@media.adrevolver[2].txt:\media.adrevolver.com.7fd89687";"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@mediaplex[1].txt";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@mediaplex[1].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@mediaplex[1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@msnportal.112.2o7[1].txt";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@perf.overture[1].txt";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@perf.overture[1].txt:\perf.overture.com.610ef18d";"Found Tracking cookie.Overture";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@questionmarket[1].txt";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@questionmarket[1].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@questionmarket[1].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt:\realmedia.com.9514c147";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt:\realmedia.com.a2b49f1a";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt:\realmedia.com.bf4a1fa7";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@realmedia[1].txt:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@revsci[1].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@revsci[1].txt:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@revsci[1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@serving-sys[1].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@smartadserver[1].txt";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@smartadserver[1].txt:\smartadserver.com.321a5cf8";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@smartadserver[1].txt:\smartadserver.com.5550c4ed";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@smartadserver[1].txt:\smartadserver.com.c5827141";"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tacoda[1].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt:\trafficmp.com.37644bdb";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt:\trafficmp.com.ae53b8b";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt:\trafficmp.com.e2e71e33";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@trafficmp[2].txt:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@valueclick[1].txt";"Found Tracking cookie.Valueclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@valueclick[1].txt:\valueclick.net.85648628";"Found Tracking cookie.Valueclick";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@yadro[2].txt";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@yadro[2].txt:\yadro.ru.a4842f54";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@yadro[2].txt:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@zedo[2].txt";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@zedo[2].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@zedo[2].txt:\zedo.com.a5b6a132";"Found Tracking cookie.Zedo";"Moved to Virus Vault"
"C:\Documents and Settings\kiwi\Cookies\kiwi@zedo[2].txt:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Moved to Virus Vault"


MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 3181
Windows 5.1.2600 Service Pack 3

11/22/2009 5:39:09 PM
mbam-log-2009-11-22 (17-39-09).txt

Scan type: Quick Scan
Objects scanned: 117649
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a45a4b15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{675e69cb-ffb0-43d7-811f-758f2e32f612}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92c59818-9fb9-4a69-b1dc-088d62c50a42}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{675e69cb-ffb0-43d7-811f-758f2e32f612}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{92c59818-9fb9-4a69-b1dc-088d62c50a42}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{675e69cb-ffb0-43d7-811f-758f2e32f612}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{92c59818-9fb9-4a69-b1dc-088d62c50a42}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS log

DDS (Ver_09-11-23.01) - NTFSx86
Run by kiwi at 20:00:42.92 on Sun 11/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1402 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kiwi\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiwi\applic~1\mozilla\firefox\profiles\bi6nuxz0.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-7-24 22560]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-22 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-22 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-11-22 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-11-22 297752]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2008-7-24 2058776]
R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [2008-7-24 72448]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-7-24 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-24 41216]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-7-24 71961]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

=============== Created Last 30 ================

2009-11-23 00:53:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 00:53:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 00:53:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 23:47:31 0 d--h--w- C:\$AVG8.VAULT$
2009-11-22 23:41:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-22 23:41:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-22 23:41:40 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-22 23:41:38 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-22 23:41:27 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-22 23:41:23 0 d-----w- c:\program files\AVG
2009-11-22 23:41:23 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2009-11-22 22:59:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-22 22:59:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-22 10:03:53 0 d-sha-r- C:\cmdcons
2009-11-22 10:02:22 98816 ----a-w- c:\windows\sed.exe
2009-11-22 10:02:22 77312 ----a-w- c:\windows\MBR.exe
2009-11-22 10:02:22 260608 ----a-w- c:\windows\PEV.exe
2009-11-22 10:02:22 161792 ----a-w- c:\windows\SWREG.exe
2009-11-22 09:52:14 1744 ---ha-w- c:\windows\system32\zodedika
2009-11-22 09:51:46 0 d-----w- C:\_OTL
2009-11-08 06:13:58 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-08 06:10:15 7680 --sha-w- c:\windows\Thumbs.db
2009-11-08 05:00:11 0 d-----w- c:\docume~1\kiwi\applic~1\Malwarebytes
2009-11-08 05:00:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-07 09:24:28 0 --sha-w- C:\-662714555
2009-11-02 01:16:43 0 d-----w- c:\docume~1\kiwi\applic~1\.BitTornado

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 03:58:50 19791 ----a-w- c:\windows\HPHins02.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-07-24 22:47:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-03-22 04:36:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032120090322\index.dat

============= FINISH: 20:01:09.51 ===============

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 23 November 2009 - 12:33 PM

Well done. :(

I want you to re-run MBAM and make sure it comes up clean.

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Your hard disk displays errors - Let's fix that!

* Click Start > Run and type chkdsk /f and the click OK.
o Note the space between the k and the /

* Allow the scan to run and when completed, reboot the system.

==========

You may have corrupt critical system files. Let's see if we can fix that.

* Click Start > Run and type sfc /scannow and the click OK.
o Note the space between the c and the /
* You may need your Windows XP CD so have it ready.
o If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD. This can be done with a borrowed CD, if you don't have one.
* Allow the scan to run and when completed, reboot the system.

==========

With your next post please provide:

* MBAM log
* Did sfc prompt you for your install disc?
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 sweetsweetsweet

sweetsweetsweet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 26 November 2009 - 03:37 AM

Hi!

I was able to do the chkdsk scan but not sfc.

For some reason, when I try sfc /scannow, it prompts for the windows disk, but when i put in the either disks that i have, the system won't recognize the disks as the original windows XP professional disk.
When I purchased this laptop, it came with Vista, but I used the Sony Vaio downgrade CD to downgrade to windows XP, which was a 2-disk DVD thing. I don't know anyone with the CD either.

Everything seems to be working fine. Maybe a bit slower starting up firefox?
And mbam doesn't seem to want to update when I click the "Check for Updates" button. It just gives an error.

Posted below is the mbam log:
Malwarebytes' Anti-Malware 1.41
Database version: 3181
Windows 5.1.2600 Service Pack 3

11/24/2009 10:19:54 PM
mbam-log-2009-11-24 (22-19-54).txt

Scan type: Quick Scan
Objects scanned: 117694
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users