Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log ;)


  • This topic is locked This topic is locked
6 replies to this topic

#1 Bhnm

Bhnm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On a gleaming razor's edge
  • Local time:07:07 PM

Posted 27 November 2009 - 03:59 PM

ok here is my log
i have avast!anti virus
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:28 AM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Behnam\LOCALS~1\Temp\herss.exe
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6854 bytes



ill be glad if u guys help me ;)

Edited by Bhnm, 27 November 2009 - 05:29 PM.

I wanna feel your body breaking
Wanna feel your body breaking and shaking and left in the cold
I want to heal your conscience making a change to fix this dying soul
This Dying Soul


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:07 AM

Posted 02 December 2009 - 11:08 AM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 Bhnm

Bhnm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On a gleaming razor's edge
  • Local time:07:07 PM

Posted 02 December 2009 - 02:58 PM

hi
thanks for your help
i think i removed the virus , im stil not sure if thats right bcuz i still have some problems like when i want to enter Local Disk C:\ i get a error which says "The C:\ application cannot be run in win 32 mode " and when i want to enter another local disks , Open with window will open...
anyway here are 2 files that u have requested :
log.txt
Logfile of random's system information tool 1.06 (written by random/random)
Run by Behnam at 2009-12-02 23:24:04
Microsoft Windows XP Professional Service Pack 3
System drive C: has 117 GB (89%) free of 131 GB
Total RAM: 2047 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:09 PM, on 12/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Behnam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Behnam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7540 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2009-05-07 169392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-13 327748]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-13 327748]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-14 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-07-01 37888]
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [2005-03-18 98304]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-09-15 81000]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2008-04-14 59392]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-07-05 16380416]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2009-11-04 26112]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"IDMan"=C:\Program Files\Internet Download Manager\IDMan.exe [2009-12-02 2815408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"HyperIM"=C:\Program Files\HyperIM\HyperIM.exe [2007-11-18 220672]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]
"Registry Cleaner Scheduler"=C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe [2009-11-28 1401096]

C:\Documents and Settings\Behnam\Start Menu\Programs\Startup
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-08-14 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of DutyŽ 4 - Modern Warfare™"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\q3kku.exe
shell\open\command - C:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\q3kku.exe
shell\open\command - D:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\q3kku.exe
shell\open\command - E:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\.\AutorunX\AutorunX.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ac92fd-b82d-11de-a819-806d6172696f}]
shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ac92ff-b82d-11de-a819-806d6172696f}]
shell\AutoRun\command - C:\q3kku.exe
shell\open\command - C:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ac9300-b82d-11de-a819-806d6172696f}]
shell\AutoRun\command - q3kku.exe
shell\open\command - q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58ac9301-b82d-11de-a819-806d6172696f}]
shell\AutoRun\command - q3kku.exe
shell\open\command - q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4981fbd-b81e-11de-ad74-001d7d45097c}]
shell\AutoRun\command - H:\q3kku.exe
shell\open\command - H:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a40ef2-b8e0-11de-ad76-001d7d45097c}]
shell\AutoRun\command - H:\ymxf2.exe
shell\open\command - H:\ymxf2.exe


======List of files/folders created in the last 1 months======

2009-12-02 23:24:04 ----D---- C:\rsit
2009-12-02 20:36:47 ----D---- C:\WINDOWS\LastGood
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET70.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET62.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET60.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET5C.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET5A.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET58.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET41.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET3F.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET3B.tmp
2009-12-02 20:36:47 ----A---- C:\WINDOWS\system32\SET39.tmp
2009-12-02 20:36:44 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-12-02 20:36:28 ----D---- C:\Program Files\ATI
2009-12-02 19:35:49 ----D---- C:\WINDOWS\Prefetch
2009-12-02 19:25:40 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-12-02 19:19:42 ----A---- C:\WINDOWS\system32\irclass.dll
2009-12-02 19:19:41 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-12-02 19:19:27 ----RA---- C:\WINDOWS\SET4E.tmp
2009-12-02 19:19:23 ----RA---- C:\WINDOWS\SET42.tmp
2009-12-02 19:19:20 ----RA---- C:\WINDOWS\SET3F.tmp
2009-12-02 19:18:38 ----A---- C:\WINDOWS\setuplog.txt
2009-12-02 19:09:09 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-12-02 18:58:00 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-02 18:57:54 ----D---- C:\Program Files\CleanMyPC
2009-12-02 18:40:54 ----D---- C:\WINDOWS\WBEM
2009-12-02 18:40:43 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-12-02 18:40:43 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-12-02 18:39:51 ----HDC---- C:\WINDOWS\ie8
2009-12-02 18:39:24 ----D---- C:\bf4a36bbf23c035ffaf0fad800784e51
2009-11-30 23:03:46 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-11-28 11:54:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-28 02:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-28 02:09:09 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-28 02:09:09 ----D---- C:\Documents and Settings\Behnam\Application Data\SUPERAntiSpyware.com
2009-11-27 23:46:27 ----D---- C:\Program Files\Trend Micro
2009-11-27 23:29:30 ----SHD---- C:\WINDOWS\ftpcache
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\x3daudio1_2.dll
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-11-27 23:29:23 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-11-27 23:29:22 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-11-27 23:29:22 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2009-11-27 23:29:15 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2009-11-27 23:29:15 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2009-11-27 23:29:14 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2009-11-27 23:27:54 ----D---- C:\WINDOWS\system32\LogFiles
2009-11-27 23:27:54 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-11-27 23:27:54 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-11-27 23:27:52 ----A---- C:\WINDOWS\game.ini
2009-11-27 23:21:26 ----D---- C:\Program Files\Activision
2009-11-27 22:06:22 ----D---- C:\Documents and Settings\Behnam\Application Data\WinRAR
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MSVCR71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MSVCP71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MFC71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-11-27 20:55:04 ----D---- C:\Program Files\Alwil Software
2009-11-27 20:54:21 ----D---- C:\Program Files\WinRAR
2009-11-27 20:46:37 ----D---- C:\WINDOWS\pss
2009-11-27 20:35:54 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-11-27 20:35:31 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-27 20:35:25 ----D---- C:\Program Files\Common Files\Adobe
2009-11-27 20:35:25 ----D---- C:\Program Files\Adobe
2009-11-27 19:00:36 ----RSH---- C:\q3kku.exe
2009-11-20 16:53:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Ventrilo
2009-11-20 16:52:57 ----D---- C:\Program Files\Ventrilo
2009-11-20 16:52:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-19 23:50:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Macromedia
2009-11-19 23:50:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Adobe
2009-11-16 14:31:05 ----D---- C:\backup_p
2009-11-16 14:31:01 ----A---- C:\WINDOWS\system32\win32loa.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\qtintf.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\odbcinst.ini
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\odbc.ini
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idsql32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idr20009.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idqbe32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idpdx32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idodbc32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\iddr32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idbat32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idasci32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idapi32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\cp3245mt.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\cc3250mt.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\borlndmm.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\blw32.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\bantam.dll
2009-11-16 14:30:27 ----D---- C:\Patris
2009-11-16 14:30:23 ----A---- C:\WINDOWS\system32\RockVdd.dll
2009-11-07 23:44:01 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-11-07 23:44:01 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-11-06 20:46:03 ----A---- C:\WINDOWS\client.config.ini
2009-11-05 14:52:25 ----D---- C:\Program Files\MiniLyrics
2009-11-05 14:52:21 ----D---- C:\Program Files\HyperIM

======List of files/folders modified in the last 1 months======

2009-12-02 23:16:55 ----D---- C:\Program Files\Mozilla Firefox
2009-12-02 22:47:11 ----D---- C:\WINDOWS\system32\Setup
2009-12-02 22:47:11 ----D---- C:\WINDOWS\system
2009-12-02 22:47:05 ----D---- C:\WINDOWS\L2Schemas
2009-12-02 22:47:04 ----D---- C:\WINDOWS\system32\usmt
2009-12-02 22:46:54 ----D---- C:\WINDOWS\AppPatch
2009-12-02 22:46:48 ----D---- C:\WINDOWS\mui
2009-12-02 22:46:47 ----D---- C:\WINDOWS\ehome
2009-12-02 22:46:46 ----D---- C:\WINDOWS\ime
2009-12-02 22:46:45 ----D---- C:\WINDOWS\Media
2009-12-02 22:46:44 ----D---- C:\WINDOWS\Network Diagnostic
2009-12-02 22:46:43 ----D---- C:\WINDOWS\system32\scripting
2009-12-02 22:46:35 ----D---- C:\WINDOWS\PeerNet
2009-12-02 22:46:25 ----D---- C:\WINDOWS\system32\npp
2009-12-02 22:46:19 ----D---- C:\WINDOWS\msagent
2009-12-02 22:46:16 ----D---- C:\WINDOWS\system32\en
2009-12-02 22:43:01 ----D---- C:\WINDOWS\twain_32
2009-12-02 22:42:16 ----D---- C:\WINDOWS\system32\icsxml
2009-12-02 22:41:54 ----D---- C:\WINDOWS\system32\ias
2009-12-02 22:41:50 ----D---- C:\WINDOWS\system32\1033
2009-12-02 22:41:01 ----D---- C:\WINDOWS\Driver Cache
2009-12-02 21:03:23 ----D---- C:\Documents and Settings\Behnam\Application Data\Xfire
2009-12-02 20:37:04 ----D---- C:\WINDOWS\system32
2009-12-02 20:37:04 ----D---- C:\WINDOWS
2009-12-02 20:36:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-02 20:36:51 ----D---- C:\WINDOWS\system32\drivers
2009-12-02 20:36:49 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-12-02 20:36:48 ----HD---- C:\WINDOWS\inf
2009-12-02 20:36:44 ----SHD---- C:\WINDOWS\Installer
2009-12-02 20:36:44 ----D---- C:\Program Files\ATI Technologies
2009-12-02 20:36:39 ----D---- C:\WINDOWS\WinSxS
2009-12-02 20:36:39 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-02 20:36:28 ----RD---- C:\Program Files
2009-12-02 20:11:02 ----D---- C:\WINDOWS\Temp
2009-12-02 20:10:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-02 20:05:56 ----D---- C:\Documents and Settings\Behnam\Application Data\DMCache
2009-12-02 20:05:37 ----D---- C:\Program Files\Internet Download Manager
2009-12-02 20:04:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-02 19:58:48 ----D---- C:\WINDOWS\Help
2009-12-02 19:58:48 ----D---- C:\Program Files\Internet Explorer
2009-12-02 19:58:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-02 19:49:35 ----D---- C:\WINDOWS\system32\en-US
2009-12-02 19:45:46 ----D---- C:\WINDOWS\system32\Restore
2009-12-02 19:36:52 ----D---- C:\WINDOWS\Registration
2009-12-02 19:35:59 ----SHD---- C:\System Volume Information
2009-12-02 19:28:54 ----D---- C:\WINDOWS\system32\config
2009-12-02 19:28:54 ----A---- C:\WINDOWS\imsins.BAK
2009-12-02 19:26:25 ----A---- C:\WINDOWS\OEWABLog.txt
2009-12-02 19:26:21 ----A---- C:\WINDOWS\ODBCINST.INI
2009-12-02 19:25:42 ----RD---- C:\WINDOWS\Web
2009-12-02 19:25:36 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-12-02 19:25:28 ----A---- C:\WINDOWS\win.ini
2009-12-02 19:25:22 ----D---- C:\WINDOWS\system32\oobe
2009-12-02 19:25:20 ----D---- C:\WINDOWS\security
2009-12-02 19:24:52 ----D---- C:\WINDOWS\system32\Com
2009-12-02 19:24:34 ----D---- C:\WINDOWS\system32\wbem
2009-12-02 19:24:05 ----SH---- C:\boot.ini
2009-12-02 19:20:09 ----A---- C:\WINDOWS\system.ini
2009-12-02 19:19:51 ----RSD---- C:\WINDOWS\Fonts
2009-12-02 19:19:34 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-12-02 19:19:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-02 18:39:35 ----D---- C:\WINDOWS\SoftwareDistribution
2009-12-02 18:28:16 ----D---- C:\Program Files\Xfire
2009-11-30 14:04:58 ----SD---- C:\Documents and Settings\Behnam\Application Data\Microsoft
2009-11-30 14:04:57 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-11-27 23:29:11 ----D---- C:\WINDOWS\system32\DirectX
2009-11-27 23:27:51 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-27 21:43:49 ----SHD---- C:\RECYCLER
2009-11-27 20:35:54 ----D---- C:\Program Files\Common Files
2009-11-09 18:24:53 ----D---- C:\Documents and Settings\Behnam\Application Data\IDM
2009-11-06 15:25:52 ----D---- C:\Program Files\MSN
2009-11-04 19:15:14 ----A---- C:\WINDOWS\system32\ATIDEMGX.dll
2009-11-04 18:59:28 ----A---- C:\WINDOWS\system32\Oemdspif.dll
2009-11-04 18:59:16 ----A---- C:\WINDOWS\system32\Ati2mdxx.exe
2009-11-04 18:58:16 ----A---- C:\WINDOWS\system32\atiiiexx.dll
2009-11-04 18:56:18 ----A---- C:\WINDOWS\system32\ATIDDC.DLL
2009-11-04 18:47:48 ----A---- C:\WINDOWS\system32\atioglxx.dll
2009-11-04 18:21:08 ----A---- C:\WINDOWS\system32\atimpc32.dll
2009-11-04 18:21:08 ----A---- C:\WINDOWS\system32\amdpcom32.dll
2009-11-04 18:16:58 ----A---- C:\WINDOWS\system32\aticalrt.dll
2009-11-04 18:16:44 ----A---- C:\WINDOWS\system32\aticalcl.dll
2009-11-04 18:15:30 ----A---- C:\WINDOWS\system32\atiadlxx.dll
2009-11-04 18:15:08 ----A---- C:\WINDOWS\system32\aticaldd.dll
2009-11-04 18:15:04 ----A---- C:\WINDOWS\system32\atitvo32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-09-15 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-09-15 94160]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2008-04-14 11868]
R2 ROCKEYNT;ROCKEYNT; \??\C:\WINDOWS\system32\drivers\Rockeynt.sys []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-11-04 4423168]
R3 HdAudAddService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdAud.sys [2006-12-28 84992]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2008-04-14 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2008-04-14 220032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-07-18 4547584]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-08-07 98944]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2008-04-14 685056]
S3 rockusb;ROCKUSB; C:\WINDOWS\system32\DRIVERS\rockusb.sys [2009-11-16 23576]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-09-15 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-08-14 602112]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-09-15 138680]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-12-02 66872]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-09-15 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-09-15 352920]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-08-13 593920]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

-----------------EOF-----------------





===========================================================
===========================================================




Info.txt
info.txt logfile of random's system information tool 1.06 2009-12-02 23:24:11

======Uninstall list======

-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
50 FREE MP3s +1 Free Audiobook!-->"C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder-->MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVIVO-->MsiExec.exe /X{5399ACAF-7B15-43D5-9233-4E797B184FD2}
Call of DutyŽ 4 - Modern Warfare™-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CleanMyPC - Registry Cleaner-->"C:\Program Files\CleanMyPC\Registry Cleaner\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HyperIM 2.14-->"C:\Program Files\HyperIM\uninstall.exe"
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
LaserJet 1020 series-->C:\Program Files\Zenographics\{A9F1E007-2D48-4443-AEE0-8475A1134AFF}\Setup.exe -u "HPLJInstaller.dll=Hplj1020.inf"
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
OrderReminder HP LaserJet 1020-->"C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The KMPlayer (remove only)-->"C:\Program Files\The KMPlayer\uninstall.exe"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 8 Beta 1-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Companion-->rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui

======Security center information======

AV: avast! antivirus 4.8.1368 [VPS 091202-0]

======System event log======

Computer Name: BHNM
Event Code: 64008
Message: The protected system file c:\windows\system32\drivers\usbehci.sys could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Record Number: 38
Source Name: Windows File Protection
Time Written: 20091013201024.000000+210
Event Type: warning
User:

Computer Name: BHNM
Event Code: 64008
Message: The protected system file c:\windows\system32\drivers\usbuhci.sys could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Record Number: 37
Source Name: Windows File Protection
Time Written: 20091013201024.000000+210
Event Type: warning
User:

Computer Name: BHNM
Event Code: 64008
Message: The protected system file c:\windows\system32\drivers\usbport.sys could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Record Number: 36
Source Name: Windows File Protection
Time Written: 20091013201024.000000+210
Event Type: warning
User:

Computer Name: BHNM
Event Code: 64008
Message: The protected system file c:\windows\system32\drivers\usbhub.sys could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Record Number: 35
Source Name: Windows File Protection
Time Written: 20091013201024.000000+210
Event Type: warning
User:

Computer Name: BHNM
Event Code: 64008
Message: The protected system file c:\windows\system32\usbui.dll could not be verified as valid because Windows
File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later time.

Record Number: 34
Source Name: Windows File Protection
Time Written: 20091013201024.000000+210
Event Type: warning
User:

=====Application event log=====

Computer Name: BHNM
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15
Source Name: WinMgmt
Time Written: 20091013194118.000000+210
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BHNM
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14
Source Name: WinMgmt
Time Written: 20091013194118.000000+210
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BHNM
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20091013194118.000000+210
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BHNM
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20091013194118.000000+210
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BHNM
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20091013194116.000000+210
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------



ill be glad if u help me ;)

Edited by Bhnm, 02 December 2009 - 03:00 PM.

I wanna feel your body breaking
Wanna feel your body breaking and shaking and left in the cold
I want to heal your conscience making a change to fix this dying soul
This Dying Soul


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:07 AM

Posted 02 December 2009 - 05:31 PM

Hi Bhnm,

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Please post back here with the following logs:
  • MBAM log
  • Gmer log
  • New Rsit log
Thanks

unite.jpg


#5 Bhnm

Bhnm
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:On a gleaming razor's edge
  • Local time:07:07 PM

Posted 03 December 2009 - 04:48 PM

Hi Syler
here are the things u requested :

MBAM Log :
Malwarebytes' Anti-Malware 1.41
Database version: 3288
Windows 5.1.2600 Service Pack 3

12/4/2009 12:48:23 AM
mbam-log-2009-12-04 (00-48-23).txt

Scan type: Quick Scan
Objects scanned: 103094
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b03a4be6-5e5a-b9b3-483e-c484d4b20b72} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\q3kku.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
============================================================================================================================================================================================================================================================================================================================
Gmer Log :
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-04 01:09:59
Windows 5.1.2600 Service Pack 3
Running: i166ytfm.exe; Driver: C:\DOCUME~1\Behnam\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACC1E6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACC1E574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACC1EA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xACC1E14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACC1E64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xACC1E08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xACC1E0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACC1E76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACC1E72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACC1E8AE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xACD030B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 17A 804E49A4 4 Bytes JMP 89A6ACC1
.text ntoskrnl.exe!ZwYieldExecution + 452 804E4C7C 4 Bytes CALL A113F942
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9BE1000, 0x2131D7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01345997 C:\Program Files\Xfire\xfire_toucan_40405.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3344] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01345A97 C:\Program Files\Xfire\xfire_toucan_40405.dll (Xfire Toucan DLL/Xfire Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xCD 0x50 0x7F 0x1B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{ec52ee0c-af2a-4849-a2a1-c7d2079f9d4b}@Model 314
Reg HKLM\SOFTWARE\Classes\CLSID\{ec52ee0c-af2a-4849-a2a1-c7d2079f9d4b}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{ec52ee0c-af2a-4849-a2a1-c7d2079f9d4b}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----
============================================================================================================================================================================================================================================================================================================================
RSIT Log
Logfile of random's system information tool 1.06 (written by random/random)
Run by Behnam at 2009-12-04 01:17:33
Microsoft Windows XP Professional Service Pack 3
System drive C: has 116 GB (88%) free of 131 GB
Total RAM: 2047 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:33 AM, on 12/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Behnam\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Behnam.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8538 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2009-05-07 169392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-13 327748]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll [2005-04-13 327748]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-14 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-14 455168]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-07-01 37888]
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [2005-03-18 98304]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-09-15 81000]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2008-04-14 59392]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-07-05 16380416]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-09-20 1836328]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"IDMan"=C:\Program Files\Internet Download Manager\IDMan.exe [2009-12-02 2815408]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"HyperIM"=C:\Program Files\HyperIM\HyperIM.exe [2007-11-18 220672]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-11-23 2001648]
"Registry Cleaner Scheduler"=C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe [2009-11-28 1401096]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2007-09-20 202024]

C:\Documents and Settings\Behnam\Start Menu\Programs\Startup
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2009-11-04 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\q3kku.exe
shell\open\command - C:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\q3kku.exe
shell\open\command - D:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\q3kku.exe
shell\open\command - E:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\.\AutorunX\AutorunX.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4981fbd-b81e-11de-ad74-001d7d45097c}]
shell\AutoRun\command - H:\q3kku.exe
shell\open\command - H:\q3kku.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a40ef2-b8e0-11de-ad76-001d7d45097c}]
shell\AutoRun\command - H:\ymxf2.exe
shell\open\command - H:\ymxf2.exe


======List of files/folders created in the last 1 months======

2009-12-04 00:37:35 ----D---- C:\Documents and Settings\Behnam\Application Data\Malwarebytes
2009-12-04 00:37:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-04 00:37:30 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-02 23:59:41 ----D---- C:\Documents and Settings\Behnam\Application Data\Nero
2009-12-02 23:59:32 ----A---- C:\WINDOWS\system32\MsiExec.exe.log
2009-12-02 23:58:18 ----D---- C:\Program Files\Nero
2009-12-02 23:58:18 ----D---- C:\Program Files\Common Files\Nero
2009-12-02 23:58:18 ----D---- C:\Documents and Settings\All Users\Application Data\Nero
2009-12-02 23:24:04 ----D---- C:\rsit
2009-12-02 20:36:44 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-12-02 20:36:28 ----D---- C:\Program Files\ATI
2009-12-02 19:35:49 ----D---- C:\WINDOWS\Prefetch
2009-12-02 19:25:40 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-12-02 19:19:42 ----A---- C:\WINDOWS\system32\irclass.dll
2009-12-02 19:19:41 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-12-02 19:19:27 ----RA---- C:\WINDOWS\SET4E.tmp
2009-12-02 19:19:23 ----RA---- C:\WINDOWS\SET42.tmp
2009-12-02 19:19:20 ----RA---- C:\WINDOWS\SET3F.tmp
2009-12-02 19:18:38 ----A---- C:\WINDOWS\setuplog.txt
2009-12-02 19:09:09 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-12-02 18:58:00 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-02 18:57:54 ----D---- C:\Program Files\CleanMyPC
2009-12-02 18:40:54 ----D---- C:\WINDOWS\WBEM
2009-12-02 18:40:43 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-12-02 18:40:43 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2009-12-02 18:39:51 ----HDC---- C:\WINDOWS\ie8
2009-12-02 18:39:24 ----D---- C:\bf4a36bbf23c035ffaf0fad800784e51
2009-11-30 23:03:46 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-11-28 11:54:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-28 02:09:15 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-28 02:09:09 ----D---- C:\Program Files\SUPERAntiSpyware
2009-11-28 02:09:09 ----D---- C:\Documents and Settings\Behnam\Application Data\SUPERAntiSpyware.com
2009-11-27 23:46:27 ----D---- C:\Program Files\Trend Micro
2009-11-27 23:29:30 ----SHD---- C:\WINDOWS\ftpcache
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\x3daudio1_2.dll
2009-11-27 23:29:25 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2009-11-27 23:29:24 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2009-11-27 23:29:23 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2009-11-27 23:29:22 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2009-11-27 23:29:22 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2009-11-27 23:29:20 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2009-11-27 23:29:19 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2009-11-27 23:29:18 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2009-11-27 23:29:17 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2009-11-27 23:29:16 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2009-11-27 23:29:15 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2009-11-27 23:29:15 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2009-11-27 23:29:14 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2009-11-27 23:27:54 ----D---- C:\WINDOWS\system32\LogFiles
2009-11-27 23:27:54 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-11-27 23:27:54 ----A---- C:\WINDOWS\system32\PnkBstrA.exe
2009-11-27 23:27:52 ----A---- C:\WINDOWS\game.ini
2009-11-27 23:21:26 ----D---- C:\Program Files\Activision
2009-11-27 22:06:22 ----D---- C:\Documents and Settings\Behnam\Application Data\WinRAR
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MSVCR71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MSVCP71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\MFC71.dll
2009-11-27 20:55:05 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-11-27 20:55:04 ----D---- C:\Program Files\Alwil Software
2009-11-27 20:54:21 ----D---- C:\Program Files\WinRAR
2009-11-27 20:46:37 ----D---- C:\WINDOWS\pss
2009-11-27 20:35:54 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-11-27 20:35:31 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-27 20:35:25 ----D---- C:\Program Files\Common Files\Adobe
2009-11-27 20:35:25 ----D---- C:\Program Files\Adobe
2009-11-20 16:53:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Ventrilo
2009-11-20 16:52:57 ----D---- C:\Program Files\Ventrilo
2009-11-20 16:52:45 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-19 23:50:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Macromedia
2009-11-19 23:50:19 ----D---- C:\Documents and Settings\Behnam\Application Data\Adobe
2009-11-16 14:31:05 ----D---- C:\backup_p
2009-11-16 14:31:01 ----A---- C:\WINDOWS\system32\win32loa.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\qtintf.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\odbcinst.ini
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\odbc.ini
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idsql32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idr20009.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idqbe32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idpdx32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idodbc32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\iddr32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idbat32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idasci32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\idapi32.dll
2009-11-16 14:30:53 ----A---- C:\WINDOWS\system32\cp3245mt.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\cc3250mt.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\borlndmm.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\blw32.dll
2009-11-16 14:30:52 ----A---- C:\WINDOWS\system32\bantam.dll
2009-11-16 14:30:27 ----D---- C:\Patris
2009-11-16 14:30:23 ----A---- C:\WINDOWS\system32\RockVdd.dll
2009-11-07 23:44:01 ----A---- C:\WINDOWS\system32\ptpusd.dll
2009-11-07 23:44:01 ----A---- C:\WINDOWS\system32\ptpusb.dll
2009-11-06 20:46:03 ----A---- C:\WINDOWS\client.config.ini
2009-11-05 14:52:25 ----D---- C:\Program Files\MiniLyrics
2009-11-05 14:52:21 ----D---- C:\Program Files\HyperIM

======List of files/folders modified in the last 1 months======

2009-12-04 01:13:10 ----D---- C:\WINDOWS\Temp
2009-12-04 01:13:07 ----D---- C:\Program Files\Mozilla Firefox
2009-12-04 01:12:30 ----D---- C:\Documents and Settings\Behnam\Application Data\DMCache
2009-12-04 01:11:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-04 00:51:27 ----D---- C:\Documents and Settings\Behnam\Application Data\Xfire
2009-12-04 00:48:23 ----D---- C:\WINDOWS
2009-12-04 00:37:32 ----D---- C:\WINDOWS\system32\drivers
2009-12-04 00:37:30 ----RD---- C:\Program Files
2009-12-03 13:51:04 ----D---- C:\Program Files\Internet Download Manager
2009-12-03 13:42:52 ----D---- C:\Program Files\Xfire
2009-12-03 00:00:13 ----SHD---- C:\WINDOWS\Installer
2009-12-02 23:59:32 ----D---- C:\WINDOWS\system32
2009-12-02 23:58:18 ----D---- C:\Program Files\Common Files
2009-12-02 23:58:17 ----D---- C:\WINDOWS\Cursors
2009-12-02 23:54:04 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-02 23:53:55 ----D---- C:\WINDOWS\WinSxS
2009-12-02 22:47:11 ----D---- C:\WINDOWS\system32\Setup
2009-12-02 22:47:11 ----D---- C:\WINDOWS\system
2009-12-02 22:47:05 ----D---- C:\WINDOWS\L2Schemas
2009-12-02 22:47:04 ----D---- C:\WINDOWS\system32\usmt
2009-12-02 22:46:54 ----D---- C:\WINDOWS\AppPatch
2009-12-02 22:46:48 ----D---- C:\WINDOWS\mui
2009-12-02 22:46:47 ----D---- C:\WINDOWS\ehome
2009-12-02 22:46:46 ----D---- C:\WINDOWS\ime
2009-12-02 22:46:45 ----D---- C:\WINDOWS\Media
2009-12-02 22:46:44 ----D---- C:\WINDOWS\Network Diagnostic
2009-12-02 22:46:43 ----D---- C:\WINDOWS\system32\scripting
2009-12-02 22:46:35 ----D---- C:\WINDOWS\PeerNet
2009-12-02 22:46:25 ----D---- C:\WINDOWS\system32\npp
2009-12-02 22:46:19 ----D---- C:\WINDOWS\msagent
2009-12-02 22:46:16 ----D---- C:\WINDOWS\system32\en
2009-12-02 22:43:01 ----D---- C:\WINDOWS\twain_32
2009-12-02 22:42:16 ----D---- C:\WINDOWS\system32\icsxml
2009-12-02 22:41:54 ----D---- C:\WINDOWS\system32\ias
2009-12-02 22:41:50 ----D---- C:\WINDOWS\system32\1033
2009-12-02 22:41:01 ----D---- C:\WINDOWS\Driver Cache
2009-12-02 20:36:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-02 20:36:49 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-12-02 20:36:48 ----HD---- C:\WINDOWS\inf
2009-12-02 20:36:44 ----D---- C:\Program Files\ATI Technologies
2009-12-02 20:36:39 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-02 20:10:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-02 19:58:48 ----D---- C:\WINDOWS\Help
2009-12-02 19:58:48 ----D---- C:\Program Files\Internet Explorer
2009-12-02 19:49:35 ----D---- C:\WINDOWS\system32\en-US
2009-12-02 19:45:46 ----D---- C:\WINDOWS\system32\Restore
2009-12-02 19:36:52 ----D---- C:\WINDOWS\Registration
2009-12-02 19:35:59 ----SHD---- C:\System Volume Information
2009-12-02 19:28:54 ----D---- C:\WINDOWS\system32\config
2009-12-02 19:28:54 ----A---- C:\WINDOWS\imsins.BAK
2009-12-02 19:26:25 ----A---- C:\WINDOWS\OEWABLog.txt
2009-12-02 19:26:21 ----A---- C:\WINDOWS\ODBCINST.INI
2009-12-02 19:25:42 ----RD---- C:\WINDOWS\Web
2009-12-02 19:25:36 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-12-02 19:25:28 ----A---- C:\WINDOWS\win.ini
2009-12-02 19:25:22 ----D---- C:\WINDOWS\system32\oobe
2009-12-02 19:25:20 ----D---- C:\WINDOWS\security
2009-12-02 19:24:52 ----D---- C:\WINDOWS\system32\Com
2009-12-02 19:24:34 ----D---- C:\WINDOWS\system32\wbem
2009-12-02 19:24:05 ----SH---- C:\boot.ini
2009-12-02 19:20:09 ----A---- C:\WINDOWS\system.ini
2009-12-02 19:19:51 ----RSD---- C:\WINDOWS\Fonts
2009-12-02 19:19:34 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-12-02 19:19:29 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-02 18:39:35 ----D---- C:\WINDOWS\SoftwareDistribution
2009-11-30 14:04:58 ----SD---- C:\Documents and Settings\Behnam\Application Data\Microsoft
2009-11-30 14:04:57 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-11-27 23:29:11 ----D---- C:\WINDOWS\system32\DirectX
2009-11-27 23:27:51 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-27 21:43:49 ----SHD---- C:\RECYCLER
2009-11-09 18:24:53 ----D---- C:\Documents and Settings\Behnam\Application Data\IDM
2009-11-06 15:25:52 ----D---- C:\Program Files\MSN

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-09-15 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-09-15 94160]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2008-04-14 11868]
R2 ROCKEYNT;ROCKEYNT; \??\C:\WINDOWS\system32\drivers\Rockeynt.sys []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-11-04 4423168]
R3 HdAudAddService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdAud.sys [2006-12-28 84992]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2008-04-14 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2008-04-14 220032]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-07-18 4547584]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-08-07 98944]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2008-04-14 685056]
S3 rockusb;ROCKUSB; C:\WINDOWS\system32\DRIVERS\rockusb.sys [2009-11-16 23576]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-09-15 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-11-04 602112]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-09-15 138680]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-12-02 66872]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-09-15 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-09-15 352920]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-09-20 382248]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2009-08-13 593920]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]

-----------------EOF-----------------




tnx for helping me !

I wanna feel your body breaking
Wanna feel your body breaking and shaking and left in the cold
I want to heal your conscience making a change to fix this dying soul
This Dying Soul


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:07 AM

Posted 04 December 2009 - 02:41 PM

Bhnm,

The following OTM script is going to be removing files from the C, D, E, F, and H drives, so if any of them are removable drives please make sure you have them
plugged in when running OTM.


Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.


We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4981fbd-b81e-11de-ad74-001d7d45097c}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a40ef2-b8e0-11de-ad76-001d7d45097c}]
    :Files
    C:\q3kku.exe
    D:\q3kku.exe
    E:\q3kku.exe
    F:\.\AutorunX
    H:\q3kku.exe
    H:\ymxf2.exe
    :Commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please post back here with the following logs:
  • OTM results
  • New Rsit log
Thanks

unite.jpg


#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:07 AM

Posted 09 December 2009 - 09:05 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users