Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log


  • This topic is locked This topic is locked
30 replies to this topic

#1 Oscarespinosa07

Oscarespinosa07

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 11 December 2009 - 03:13 PM

Ok so I have a compaq Sr5223wm Desktop running windows 7.
It recently got a spyware I ran Malwarebytes and SuperAntiSpyware and they picked up a couple of things and removed them without a problem the programs no longer pick anything up but im still having some problems. One of them is google results getting redirected to other sites and ads popping up in new tabs as soon as I load the internet up I've already cleared all history and temp files with CCleaner. So now I decided to just post my HijackThis Log.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:01 PM, on 12/11/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Keyboard & Mouse Driver\StartAutorun.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Keyboard & Mouse Driver\KMConfig.exe
C:\Program Files\Keyboard & Mouse Driver\KMProcess.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Keyboard & Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Keyboard & Mouse Driver\KMWDSrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7739 bytes

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 PM

Posted 15 December 2009 - 03:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 15 December 2009 - 04:18 PM

Ok here are both logs. I'd also like to apologize for the PM i didnt mean any harm by it.
Aslo it seems that whatever this is has blocked me out of the Task Manager

DDS (Ver_09-12-01.01) - NTFSx86
Run by Oscar at 15:12:17.39 on Tue 12/15/2009
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.2046.1287 [GMT -6:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Keyboard & Mouse Driver\KMWDSrv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k netsvc
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Keyboard & Mouse Driver\StartAutorun.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Keyboard & Mouse Driver\KMConfig.exe
C:\Windows\System32\winupdate86.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Keyboard & Mouse Driver\KMProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\jusched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Oscar\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wuauclt.exe

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KMCONFIG] c:\program files\keyboard & mouse driver\StartAutorun.exe KMConfig.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\evo1bqj8.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\svchost.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\oscar\appdata\roaming\mozilla\firefox\profiles\1xitc5ci.default\
FF - component: c:\users\oscar\appdata\roaming\mozilla\firefox\profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\oscar\appdata\roaming\mozilla\firefox\profiles\1xitc5ci.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\oscar\appdata\roaming\mozilla\firefox\profiles\1xitc5ci.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-14 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-14 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-14 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-14 138680]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\keyboard & mouse driver\KMWDSrv.exe [2008-6-23 208896]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2009-7-13 20992]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-11-23 2048]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-14 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-14 352920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-4 25832]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-23 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\drivers\KMWDFILTER.sys [2009-4-29 17024]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2009-11-17 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]

=============== Created Last 30 ================

2009-12-14 22:08:29 0 d-----w- c:\program files\InternetSecurity2010
2009-12-14 20:25:36 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-14 18:07:51 32768 ----a-w- c:\windows\system32\msilojzb.dll
2009-12-14 18:07:50 18944 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-14 18:07:48 2854 ----a-w- c:\windows\system32\critical_warning.html
2009-12-14 18:07:44 19968 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-14 18:07:44 19968 ----a-w- c:\windows\system32\winlogon86.exe
2009-12-14 18:07:37 19968 ----a-w- C:\dens.exe
2009-12-14 18:07:32 52736 ----a-w- C:\enhs.exe
2009-12-14 18:07:31 8704 ----a-w- C:\acad.exe
2009-12-11 19:59:25 0 d-----w- c:\program files\Trend Micro
2009-12-11 10:12:14 132096 --sha-r- c:\windows\system32\propsys3.dll
2009-12-11 10:06:50 0 d-----w- c:\users\oscar\appdata\roaming\SUPERAntiSpyware.com
2009-12-11 10:06:50 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-09 21:25:12 0 d-sh--w- c:\users\oscar\appdata\roaming\lowsec
2009-12-06 13:16:32 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-06 13:16:32 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-06 13:16:13 0 d-----w- c:\program files\iPod
2009-12-06 13:16:12 0 d-----w- c:\program files\iTunes
2009-12-04 03:48:37 55072 ----a-w- c:\windows\system32\jureg.exe
2009-11-26 09:31:25 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 15:01:13 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2009-11-24 00:53:19 0 d-----w- c:\program files\Prolific
2009-11-24 00:53:05 76800 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2009-11-24 00:41:15 65536 --sha-w- c:\users\oscar\ntuser.dat{06333e75-d892-11de-9041-001d6042e7d5}.TM.blf
2009-11-24 00:41:15 524288 --sha-w- c:\users\oscar\ntuser.dat{06333e75-d892-11de-9041-001d6042e7d5}.TMContainer00000000000000000002.regtrans-ms
2009-11-24 00:41:15 524288 --sha-w- c:\users\oscar\ntuser.dat{06333e75-d892-11de-9041-001d6042e7d5}.TMContainer00000000000000000001.regtrans-ms
2009-11-23 19:15:21 2048 ----a-w- c:\windows\system32\drivers\portio32.sys
2009-11-23 19:15:21 19968 ----a-w- c:\windows\system32\portio32.dll
2009-11-21 08:31:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-20 00:40:11 0 d-----w- c:\programdata\Office Genuine Advantage
2009-11-20 00:40:10 0 d-----w- c:\users\oscar\Office Genuine Advantage
2009-11-18 05:59:23 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-11-18 02:31:21 0 d-----w- c:\users\oscar\appdata\roaming\XLink Kai
2009-11-18 02:28:24 0 d-----w- c:\program files\XLink Kai
2009-11-17 01:17:18 8192 ----a-w- C:\bootsect.lxe.bak
2009-11-17 01:17:17 383592 --sh--r- C:\gdrop
2009-11-17 01:17:17 171136 --sh--r- C:\xeldr

==================== Find3M ====================

2009-12-03 22:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 20:23:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-13 08:44:21 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-11 11:37:18 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-10 05:47:57 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 05:47:50 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 07:49:36 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-09 07:42:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 07:32:56 22328 ----a-w- c:\users\oscar\appdata\roaming\PnkBstrK.sys
2009-11-09 07:32:41 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-08 21:52:12 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-03 08:28:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-03 08:28:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 02:42:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-20 06:36:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-19 21:22:44 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-10-17 21:27:01 1706 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_GN573AA-ABA SR5223WM_YC_0Pres_QCNH737_E74NAv3PrA2_49_IIVY8_SASUSTek Computer INC._V2.00_B5.10_T070716_WUH0_L409_M2047_J120_7AMD_8unknown_92.7_#071123_N10DE03EF_Z14F12F00_G10DE0641.MRK
2009-10-11 10:17:45 386872 ----a-w- c:\windows\system32\jucheck.exe
2009-10-11 10:17:36 149280 ----a-w- c:\windows\system32\jusched.exe
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 23:47:30 2173544 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 23:47:00 92776 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 23:47:00 805480 ----a-w- c:\windows\system32\nvsvc.dll
2009-09-27 23:47:00 4033128 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 23:47:00 3553896 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 23:47:00 3172968 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 23:47:00 215656 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 23:47:00 195176 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 23:47:00 1309288 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 23:47:00 1292904 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 23:46:00 4942440 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 23:46:00 13949544 ----a-w- c:\windows\system32\nvcpl.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:15:35 29696 --sha-w- c:\windows\system32\notepad.dll
2009-07-14 01:15:35 29696 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2009-07-14 01:15:35 29696 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\startup\scandisk.dll
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:13:07.12 ===============

Attached Files



#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 15 December 2009 - 10:53 PM

Hello Oscarespinosa07 and thank you for your patience,

Download ComboFix from here

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 12:00 AM

Ok I downloaded Combofix but it gave me a warning I have attached a picture of it.
I just wanted to make sure if it is safe to continue

Attached Files



#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 16 December 2009 - 12:06 AM

Yes, please do continue.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 01:08 AM

Ok all done here is the log

ComboFix 09-12-15.01 - Oscar 12/15/2009 23:20:36.1.1 - x86
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.2046.1294 [GMT -6:00]
Running from: c:\users\Oscar\Desktop\KittyFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\$recycle.bin\S-1-5-21-3118473555-3083992710-3658914768-500
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
c:\users\Oscar\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Security 2010.lnk
c:\users\Oscar\Desktop\Internet Security 2010.lnk
c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\msilojzb.dll
c:\windows\system32\notepad.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\Temp\1313570656.exe

Infected copy of c:\windows\system32\DRIVERS\nvstor32.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-16 05:43 . 2009-12-16 05:45 -------- d-----w- c:\users\Oscar\AppData\Local\temp
2009-12-16 05:43 . 2009-12-16 05:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-14 20:25 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-14 20:25 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-14 20:25 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-14 20:25 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-14 20:25 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-14 20:25 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-14 20:25 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-14 20:25 . 2009-12-14 20:25 -------- d-----w- c:\program files\Alwil Software
2009-12-14 18:08 . 2009-12-14 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Yahoo!
2009-12-11 19:59 . 2009-12-11 19:59 -------- d-----w- c:\program files\Trend Micro
2009-12-11 10:12 . 2009-12-11 10:12 132096 --sha-r- c:\windows\system32\propsys3.dll
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-11 08:57 . 2009-12-11 08:57 -------- d-----w- c:\users\Oscar\AppData\Local\Diagnostics
2009-12-09 21:25 . 2009-12-11 06:56 -------- d-sh--w- c:\users\Oscar\AppData\Roaming\lowsec
2009-12-08 05:51 . 2009-12-08 05:52 -------- d-----w- c:\users\Oscar\AppData\Local\Microsoft Games
2009-12-06 13:16 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-06 13:16 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iPod
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iTunes
2009-12-06 13:15 . 2009-12-06 13:15 -------- d-----w- c:\program files\QuickTime
2009-12-04 03:48 . 2009-10-11 10:17 55072 ----a-w- c:\windows\system32\jureg.exe
2009-11-30 08:44 . 2009-12-12 05:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\dvdcss
2009-11-26 09:31 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 15:01 . 2007-02-02 17:26 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll
2009-11-24 15:01 . 2007-02-02 17:27 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2009-11-24 00:53 . 2009-11-24 00:53 -------- d-----w- c:\program files\Prolific
2009-11-24 00:53 . 2007-08-01 00:45 76800 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2009-11-23 19:59 . 2009-12-01 23:38 -------- d-----w- c:\users\Oscar\AppData\Local\ApplicationHistory
2009-11-23 19:59 . 2009-11-23 19:59 93 ----a-w- c:\users\Oscar\AppData\Local\fusioncache.dat
2009-11-23 19:15 . 2004-07-14 16:51 2048 ----a-w- c:\windows\system32\drivers\portio32.sys
2009-11-23 19:15 . 2004-07-14 16:51 19968 ----a-w- c:\windows\system32\portio32.dll
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\users\Oscar\Office Genuine Advantage
2009-11-19 03:31 . 2009-12-12 09:09 -------- d-----w- c:\users\Oscar\AppData\Roaming\vlc
2009-11-18 05:59 . 2009-11-18 05:59 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-11-18 02:31 . 2009-11-18 05:59 -------- d-----w- c:\users\Oscar\AppData\Roaming\XLink Kai
2009-11-18 02:28 . 2009-11-18 02:28 -------- d-----w- c:\program files\XLink Kai
2009-11-17 04:51 . 2009-11-17 04:51 -------- d-----w- c:\users\Oscar\AppData\Local\ElevatedDiagnostics
2009-11-16 08:35 . 2009-11-16 08:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\CyberLink
2009-11-16 08:35 . 2009-11-16 08:35 134416 ----a-w- c:\users\Oscar\AppData\Local\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 05:44 . 2009-10-18 00:09 -------- d-----w- c:\programdata\NVIDIA
2009-12-14 22:08 . 2009-12-14 22:08 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll
2009-12-14 18:18 . 2009-12-14 18:18 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
2009-12-14 18:18 . 2009-12-14 18:18 15001 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
2009-12-14 18:18 . 2009-12-14 18:18 15000 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{E55E51D1-D3C8-CEA2-17E7-2420185D003E}-to5ffztij8.dll
2009-12-14 18:07 . 2009-12-14 18:07 19968 ----a-w- C:\dens.exe
2009-12-14 18:07 . 2009-12-14 18:07 52736 ----a-w- C:\enhs.exe
2009-12-14 18:07 . 2009-12-14 18:07 8704 ----a-w- C:\acad.exe
2009-12-12 00:11 . 2009-10-19 03:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\uTorrent
2009-12-11 10:07 . 2009-12-11 10:07 117760 ----a-w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-11 10:06 . 2009-10-17 22:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-11 08:58 . 2009-10-19 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-10 18:05 . 2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL
2009-12-09 03:07 . 2009-10-19 04:29 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 17:10 . 2009-10-19 03:03 -------- d-----w- c:\users\Oscar\AppData\Roaming\Apple Computer
2009-12-06 15:53 . 2009-10-19 15:36 -------- d-----w- c:\users\Oscar\AppData\Roaming\LimeWire
2009-12-06 13:16 . 2009-10-19 02:44 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 13:15 . 2009-10-19 02:46 -------- d-----w- c:\programdata\Apple Computer
2009-12-05 08:38 . 2009-12-05 08:38 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 03:48 . 2007-08-31 12:10 -------- d-----w- c:\program files\Java
2009-12-03 22:14 . 2009-10-19 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-10-19 03:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 21:51 . 2009-12-03 21:51 111616 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{115D9FE6-030A-6AB2-29B2-3F69DFFD1DAB}-svchost.exe
2009-11-28 08:01 . 2009-11-13 19:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\abgx360
2009-11-26 18:16 . 2009-10-19 17:30 -------- d-----w- c:\programdata\NOS
2009-11-26 04:12 . 2009-11-26 04:12 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
2009-11-26 04:12 . 2009-11-26 04:12 836464 ----a-w- c:\programdata\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-11-24 15:01 . 2007-08-31 12:48 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-24 00:54 . 2009-11-24 00:54 30127432 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{1A89C850-49D9-E4A7-41B6-0CDFE249C489}-fm.exe
2009-11-24 00:53 . 2007-08-31 11:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 08:31 . 2009-11-21 08:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-21 00:21 . 2009-12-09 01:48 52224 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
2009-11-21 00:21 . 2009-12-09 01:48 114688 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\npmozax.dll
2009-11-18 02:28 . 2009-11-18 02:28 2469888 ----a-r- c:\users\Oscar\AppData\Roaming\Microsoft\Installer\{2773B836-AC66-4178-A414-C5A0F9F5D805}\kaiEngine.exe
2009-11-16 08:35 . 2007-08-31 12:03 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:16 . 2009-11-15 08:37 -------- d-----w- c:\users\Oscar\AppData\Roaming\DVD Flick
2009-11-15 08:37 . 2009-11-15 08:37 -------- d-----w- c:\program files\DVD Flick
2009-11-13 20:23 . 2009-11-13 20:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-13 08:44 . 2009-11-13 08:44 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-13 08:39 . 2009-10-25 23:46 -------- d-----w- c:\users\Oscar\AppData\Roaming\Symantec
2009-11-13 08:39 . 2009-10-23 01:13 -------- d-----w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab
2009-11-13 08:39 . 2009-10-22 22:04 -------- d-----w- c:\users\Oscar\AppData\Roaming\WinBatch
2009-11-13 08:39 . 2009-10-18 01:20 -------- d-----w- c:\users\Oscar\AppData\Roaming\Yahoo!
2009-11-13 08:39 . 2009-11-11 04:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\Sports Interactive
2009-11-13 08:39 . 2009-10-28 14:20 -------- d--h--r- c:\users\Oscar\AppData\Roaming\SecuROM
2009-11-13 08:39 . 2009-10-19 03:10 -------- d-----w- c:\users\Oscar\AppData\Roaming\Malwarebytes
2009-11-13 08:39 . 2009-10-21 02:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\ImgBurn
2009-11-13 08:39 . 2009-10-18 01:40 -------- d-----w- c:\users\Oscar\AppData\Roaming\GetRightToGo
2009-11-13 08:39 . 2009-10-17 21:28 -------- d-----w- c:\users\Oscar\AppData\Roaming\Hewlett-Packard
2009-11-13 08:39 . 2009-10-18 02:39 -------- d-----w- c:\users\Oscar\AppData\Roaming\EA
2009-11-13 08:30 . 2009-11-09 07:32 -------- dc-h--w- c:\programdata\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-11-13 08:30 . 2009-10-19 03:02 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 08:30 . 2009-10-18 01:20 -------- d-----w- c:\programdata\Yahoo! Companion
2009-11-13 08:30 . 2007-08-31 12:25 -------- d--h--w- c:\programdata\yahoo!
2009-11-13 08:27 . 2009-11-11 04:44 -------- d-----w- c:\program files\Sports Interactive
2009-11-13 08:27 . 2007-08-31 11:55 -------- d-----w- c:\program files\Roxio
2009-11-13 08:27 . 2007-08-31 12:05 -------- d-----w- c:\program files\Rhapsody
2009-11-13 08:27 . 2009-11-13 08:16 -------- d-----w- c:\program files\Realtek
2009-11-13 08:27 . 2007-08-31 12:06 -------- d-----w- c:\program files\Real
2009-11-13 08:27 . 2009-11-07 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-13 08:27 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-11-13 08:27 . 2007-08-31 12:07 -------- d-----w- c:\program files\muvee Technologies
2009-11-13 08:27 . 2009-10-19 04:35 -------- d-----w- c:\program files\Microsoft.NET
2009-11-13 08:27 . 2007-08-31 12:12 -------- d-----w- c:\program files\Microsoft Works
2009-11-13 08:27 . 2009-10-23 08:01 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-13 08:27 . 2009-10-19 04:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-13 08:27 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-13 08:26 . 2009-10-25 22:05 -------- d-----w- c:\program files\Keyboard & Mouse Driver
2009-11-13 08:26 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft
2009-11-13 08:26 . 2009-10-19 15:27 -------- d-----w- c:\program files\LimeWire
2009-11-13 08:26 . 2009-10-18 08:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-13 08:26 . 2009-10-21 02:32 -------- d-----w- c:\program files\ImgBurn
2009-11-13 08:26 . 2007-08-31 11:49 -------- d-----w- c:\program files\HP Games
2009-11-13 08:23 . 2007-08-31 11:53 -------- d-----w- c:\program files\HP
2009-11-13 08:23 . 2007-08-31 11:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-13 08:23 . 2009-11-08 18:17 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-13 08:22 . 2009-10-28 14:50 -------- d-----w- c:\program files\GameSpy
2009-11-13 08:22 . 2009-10-28 14:27 -------- d-----w- c:\program files\Electronic Arts
2009-11-13 08:22 . 2007-08-31 12:22 -------- d-----w- c:\program files\earthlink totalaccess
2009-11-13 08:21 . 2009-11-05 03:38 -------- d-----w- c:\program files\Dragon Age
2009-11-13 08:21 . 2009-10-18 01:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-13 08:21 . 2007-08-31 11:25 -------- d-----w- c:\program files\CONEXANT
2009-11-13 08:21 . 2009-10-31 06:09 -------- d-----w- c:\program files\Common Files\Steam
2009-11-13 08:21 . 2007-08-31 12:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-13 08:21 . 2007-08-31 11:55 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 11:37 . 2009-11-11 11:37 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-10 05:47 . 2009-10-19 20:22 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 05:47 . 2009-10-19 20:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 07:49 . 2009-10-19 20:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-09 07:42 . 2009-11-08 19:20 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-28 04:28 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-09 07:16 . 2009-11-09 07:16 1136 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-08 21:52 . 2007-08-31 11:41 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:15 . 2009-07-13 23:16 29696 --sha-w- c:\windows\System32\config\systemprofile\ntload.dll
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KMCONFIG"="c:\program files\Keyboard & Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"="c:\windows\system32\config\SYSTEM~1\ntload.dll" [2009-07-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
2007-07-04 02:19 94208 ----a-w- c:\program files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-05-24 20:13 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-06-01 20:40 1783400 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-31 06:10 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/14/2009 2:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/14/2009 2:25 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/14/2009 2:25 PM 53328]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [7/13/2009 5:19 PM 20992]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [6/23/2008 8:28 PM 208896]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [7/13/2009 5:19 PM 20992]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [9/27/2009 4:48 PM 240232]
R3 portio32;portio32;c:\windows\System32\drivers\portio32.sys [11/23/2009 1:15 PM 2048]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/4/2009 9:46 PM 25832]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [10/23/2009 2:03 AM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\System32\drivers\KMWDFILTER.sys [4/29/2009 3:37 PM 17024]
S3 PsSdk41;PsSdk41;c:\windows\System32\drivers\pssdk41.sys [11/17/2009 11:59 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [7/13/2009 4:13 PM 661504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
netsvc REG_MULTI_SZ SPService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\
FF - component: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-notepad - c:\windows\system32\notepad.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-iinjug - c:\windows\system32\msilojzb.dll
MSConfigStartUp-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-PC-Doctor 5 for Windows - c:\program files\PC-Doctor 5 for Windows\uninst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2992)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\RtHDVCpl.exe
c:\program files\Keyboard & Mouse Driver\KMConfig.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Keyboard & Mouse Driver\KMProcess.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\jusched.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-12-15 23:49:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-16 05:49

Pre-Run: 805,936,939,008 bytes free
Post-Run: 805,899,612,160 bytes free

- - End Of File - - 8402B542EAC8A5137961C9A939C511E3

#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 16 December 2009 - 01:23 AM

Hi Oscarespinosa07,

We have a bit more to do here. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:


http://www.bleepingcomputer.com/forums/ind...t&p=1539094

Collect::
C:\dens.exe
C:\enhs.exe
C:\acad.exe
c:\windows\System32\config\systemprofile\ntload.dll

Folder::
c:\users\Oscar\AppData\Roaming\lowsec


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Please post the contents of the C:\ComboFix.txt in your next reply, along with an update on system behavior.

Edited by Ried, 16 December 2009 - 01:29 AM.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 02:10 AM

Ok here is the new log. Also after combofix was done my desktop didnt load so I started up the explorer.exe process through task manager i dont know if thats normal or not just thought i should tell you.

ComboFix 09-12-15.01 - Oscar 12/16/2009 0:38.2.1 - x86
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.2046.1331 [GMT -6:00]
Running from: c:\users\Oscar\Desktop\KittyFix.exe
Command switches used :: c:\users\Oscar\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

file zipped: C:\acad.exe
file zipped: C:\dens.exe
file zipped: C:\enhs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\acad.exe
C:\dens.exe
C:\enhs.exe
c:\users\Oscar\AppData\Roaming\lowsec
c:\users\Oscar\AppData\Roaming\lowsec\local.ds
c:\users\Oscar\AppData\Roaming\lowsec\user.ds

.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-16 07:02 . 2009-12-16 07:02 -------- d-----w- c:\users\Oscar\AppData\Local\temp
2009-12-16 07:02 . 2009-12-16 07:02 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-16 07:02 . 2009-12-16 07:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-16 07:02 . 2009-12-16 07:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-14 22:08 . 2009-12-14 22:08 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll
2009-12-14 20:25 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-14 20:25 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-14 20:25 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-14 20:25 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-14 20:25 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-14 20:25 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-14 20:25 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-14 20:25 . 2009-12-14 20:25 -------- d-----w- c:\program files\Alwil Software
2009-12-14 18:18 . 2009-12-14 18:18 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
2009-12-14 18:18 . 2009-12-14 18:18 15001 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
2009-12-14 18:18 . 2009-12-14 18:18 15000 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{E55E51D1-D3C8-CEA2-17E7-2420185D003E}-to5ffztij8.dll
2009-12-14 18:08 . 2009-12-14 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Yahoo!
2009-12-11 19:59 . 2009-12-11 19:59 -------- d-----w- c:\program files\Trend Micro
2009-12-11 10:12 . 2009-12-11 10:12 132096 --sha-r- c:\windows\system32\propsys3.dll
2009-12-11 10:07 . 2009-12-11 10:07 117760 ----a-w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-11 08:57 . 2009-12-11 08:57 -------- d-----w- c:\users\Oscar\AppData\Local\Diagnostics
2009-12-10 18:05 . 2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL
2009-12-09 01:48 . 2009-11-21 00:21 52224 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
2009-12-09 01:48 . 2009-11-21 00:21 114688 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\npmozax.dll
2009-12-08 05:51 . 2009-12-08 05:52 -------- d-----w- c:\users\Oscar\AppData\Local\Microsoft Games
2009-12-06 13:16 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-06 13:16 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iPod
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iTunes
2009-12-06 13:15 . 2009-12-06 13:15 -------- d-----w- c:\program files\QuickTime
2009-12-05 08:38 . 2009-12-05 08:38 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 03:48 . 2009-10-11 10:17 55072 ----a-w- c:\windows\system32\jureg.exe
2009-12-03 21:51 . 2009-12-03 21:51 111616 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{115D9FE6-030A-6AB2-29B2-3F69DFFD1DAB}-svchost.exe
2009-11-30 08:44 . 2009-12-12 05:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\dvdcss
2009-11-26 09:31 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 04:12 . 2009-11-26 04:12 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
2009-11-26 04:12 . 2009-11-26 04:12 836464 ----a-w- c:\programdata\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-11-26 04:11 . 2009-11-06 15:20 34112 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-26 04:11 . 2009-11-06 15:20 32448 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-26 04:11 . 2009-11-06 15:20 22352 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-24 15:01 . 2007-02-02 17:26 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll
2009-11-24 15:01 . 2007-02-02 17:27 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2009-11-24 00:54 . 2009-11-24 00:54 30127432 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{1A89C850-49D9-E4A7-41B6-0CDFE249C489}-fm.exe
2009-11-24 00:53 . 2009-11-24 00:53 -------- d-----w- c:\program files\Prolific
2009-11-24 00:53 . 2007-08-01 00:45 76800 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2009-11-23 19:59 . 2009-12-01 23:38 -------- d-----w- c:\users\Oscar\AppData\Local\ApplicationHistory
2009-11-23 19:59 . 2009-11-23 19:59 93 ----a-w- c:\users\Oscar\AppData\Local\fusioncache.dat
2009-11-23 19:15 . 2004-07-14 16:51 2048 ----a-w- c:\windows\system32\drivers\portio32.sys
2009-11-23 19:15 . 2004-07-14 16:51 19968 ----a-w- c:\windows\system32\portio32.dll
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\users\Oscar\Office Genuine Advantage
2009-11-19 03:31 . 2009-12-12 09:09 -------- d-----w- c:\users\Oscar\AppData\Roaming\vlc
2009-11-18 05:59 . 2009-11-18 05:59 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-11-18 02:31 . 2009-11-18 05:59 -------- d-----w- c:\users\Oscar\AppData\Roaming\XLink Kai
2009-11-18 02:28 . 2009-11-18 02:28 2469888 ----a-r- c:\users\Oscar\AppData\Roaming\Microsoft\Installer\{2773B836-AC66-4178-A414-C5A0F9F5D805}\kaiEngine.exe
2009-11-18 02:28 . 2009-11-18 02:28 -------- d-----w- c:\program files\XLink Kai
2009-11-17 04:51 . 2009-11-17 04:51 -------- d-----w- c:\users\Oscar\AppData\Local\ElevatedDiagnostics
2009-11-16 08:35 . 2009-11-16 08:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\CyberLink
2009-11-16 08:35 . 2009-11-16 08:35 134416 ----a-w- c:\users\Oscar\AppData\Local\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 05:44 . 2009-10-18 00:09 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 00:11 . 2009-10-19 03:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\uTorrent
2009-12-11 10:06 . 2009-10-17 22:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-11 08:58 . 2009-10-19 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 03:07 . 2009-10-19 04:29 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 17:10 . 2009-10-19 03:03 -------- d-----w- c:\users\Oscar\AppData\Roaming\Apple Computer
2009-12-06 15:53 . 2009-10-19 15:36 -------- d-----w- c:\users\Oscar\AppData\Roaming\LimeWire
2009-12-06 13:16 . 2009-10-19 02:44 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 13:15 . 2009-10-19 02:46 -------- d-----w- c:\programdata\Apple Computer
2009-12-04 03:48 . 2007-08-31 12:10 -------- d-----w- c:\program files\Java
2009-12-03 22:14 . 2009-10-19 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-10-19 03:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 08:01 . 2009-11-13 19:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\abgx360
2009-11-26 18:16 . 2009-10-19 17:30 -------- d-----w- c:\programdata\NOS
2009-11-24 15:01 . 2007-08-31 12:48 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-24 00:53 . 2007-08-31 11:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 08:31 . 2009-11-21 08:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-16 08:35 . 2007-08-31 12:03 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:16 . 2009-11-15 08:37 -------- d-----w- c:\users\Oscar\AppData\Roaming\DVD Flick
2009-11-15 08:37 . 2009-11-15 08:37 -------- d-----w- c:\program files\DVD Flick
2009-11-13 20:23 . 2009-11-13 20:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-13 08:44 . 2009-11-13 08:44 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-13 08:39 . 2009-10-25 23:46 -------- d-----w- c:\users\Oscar\AppData\Roaming\Symantec
2009-11-13 08:39 . 2009-10-23 01:13 -------- d-----w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab
2009-11-13 08:39 . 2009-10-22 22:04 -------- d-----w- c:\users\Oscar\AppData\Roaming\WinBatch
2009-11-13 08:39 . 2009-10-18 01:20 -------- d-----w- c:\users\Oscar\AppData\Roaming\Yahoo!
2009-11-13 08:39 . 2009-11-11 04:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\Sports Interactive
2009-11-13 08:39 . 2009-10-28 14:20 -------- d--h--r- c:\users\Oscar\AppData\Roaming\SecuROM
2009-11-13 08:39 . 2009-10-19 03:10 -------- d-----w- c:\users\Oscar\AppData\Roaming\Malwarebytes
2009-11-13 08:39 . 2009-10-21 02:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\ImgBurn
2009-11-13 08:39 . 2009-10-18 01:40 -------- d-----w- c:\users\Oscar\AppData\Roaming\GetRightToGo
2009-11-13 08:39 . 2009-10-17 21:28 -------- d-----w- c:\users\Oscar\AppData\Roaming\Hewlett-Packard
2009-11-13 08:39 . 2009-10-18 02:39 -------- d-----w- c:\users\Oscar\AppData\Roaming\EA
2009-11-13 08:30 . 2009-11-09 07:32 -------- dc-h--w- c:\programdata\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-11-13 08:30 . 2009-10-19 03:02 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 08:30 . 2009-10-18 01:20 -------- d-----w- c:\programdata\Yahoo! Companion
2009-11-13 08:30 . 2007-08-31 12:25 -------- d--h--w- c:\programdata\yahoo!
2009-11-13 08:27 . 2009-11-11 04:44 -------- d-----w- c:\program files\Sports Interactive
2009-11-13 08:27 . 2007-08-31 11:55 -------- d-----w- c:\program files\Roxio
2009-11-13 08:27 . 2007-08-31 12:05 -------- d-----w- c:\program files\Rhapsody
2009-11-13 08:27 . 2009-11-13 08:16 -------- d-----w- c:\program files\Realtek
2009-11-13 08:27 . 2007-08-31 12:06 -------- d-----w- c:\program files\Real
2009-11-13 08:27 . 2009-11-07 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-13 08:27 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-11-13 08:27 . 2007-08-31 12:07 -------- d-----w- c:\program files\muvee Technologies
2009-11-13 08:27 . 2009-10-19 04:35 -------- d-----w- c:\program files\Microsoft.NET
2009-11-13 08:27 . 2007-08-31 12:12 -------- d-----w- c:\program files\Microsoft Works
2009-11-13 08:27 . 2009-10-23 08:01 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-13 08:27 . 2009-10-19 04:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-13 08:27 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-13 08:26 . 2009-10-25 22:05 -------- d-----w- c:\program files\Keyboard & Mouse Driver
2009-11-13 08:26 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft
2009-11-13 08:26 . 2009-10-19 15:27 -------- d-----w- c:\program files\LimeWire
2009-11-13 08:26 . 2009-10-18 08:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-13 08:26 . 2009-10-21 02:32 -------- d-----w- c:\program files\ImgBurn
2009-11-13 08:26 . 2007-08-31 11:49 -------- d-----w- c:\program files\HP Games
2009-11-13 08:23 . 2007-08-31 11:53 -------- d-----w- c:\program files\HP
2009-11-13 08:23 . 2007-08-31 11:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-13 08:23 . 2009-11-08 18:17 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-13 08:22 . 2009-10-28 14:50 -------- d-----w- c:\program files\GameSpy
2009-11-13 08:22 . 2009-10-28 14:27 -------- d-----w- c:\program files\Electronic Arts
2009-11-13 08:22 . 2007-08-31 12:22 -------- d-----w- c:\program files\earthlink totalaccess
2009-11-13 08:21 . 2009-11-05 03:38 -------- d-----w- c:\program files\Dragon Age
2009-11-13 08:21 . 2009-10-18 01:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-13 08:21 . 2007-08-31 11:25 -------- d-----w- c:\program files\CONEXANT
2009-11-13 08:21 . 2009-10-31 06:09 -------- d-----w- c:\program files\Common Files\Steam
2009-11-13 08:21 . 2007-08-31 12:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-13 08:21 . 2007-08-31 11:55 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 11:37 . 2009-11-11 11:37 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-10 05:47 . 2009-10-19 20:22 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 05:47 . 2009-10-19 20:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 07:49 . 2009-10-19 20:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-09 07:42 . 2009-11-08 19:20 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-28 04:28 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-09 07:16 . 2009-11-09 07:16 1136 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-08 21:52 . 2007-08-31 11:41 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 02:42 . 2009-10-17 21:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 02:42 . 2009-10-24 02:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-10-20 06:36 . 2009-10-20 06:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-20 00:39 . 2009-10-20 00:39 177024 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\FlashGot.exe
2009-10-19 21:22 . 2009-10-19 21:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Oscar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-19 17:31 . 2009-10-19 17:31 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-10-18 02:39 . 2009-10-18 02:39 175616 ----a-w- c:\users\Oscar\AppData\Roaming\EA\EASW\GameFace\unrar64_nocrypt.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:15 . 2009-07-13 23:16 29696 --sha-w- c:\windows\System32\config\systemprofile\ntload.dll
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-16_05.45.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2009-12-16 05:47 35288 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-11-13 08:18 . 2009-12-16 05:45 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-13 08:18 . 2009-12-16 05:47 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-16 06:29 . 2009-12-16 05:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2009-12-16 05:45 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2009-12-16 05:47 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 07:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 07:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-14 00:03 . 2009-12-16 07:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-13 11:12 . 2009-12-16 07:01 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 20:38 . 2009-12-16 05:47 7116 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1842487324-1744856576-3749998290-1000_UserData.bin
+ 2009-07-14 02:05 . 2009-12-16 05:49 626794 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 626794 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-16 05:49 108366 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 108366 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KMCONFIG"="c:\program files\Keyboard & Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"="c:\windows\system32\config\SYSTEM~1\ntload.dll" [2009-07-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
2007-07-04 02:19 94208 ----a-w- c:\program files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-05-24 20:13 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-06-01 20:40 1783400 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-31 06:10 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/14/2009 2:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/14/2009 2:25 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/14/2009 2:25 PM 53328]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [7/13/2009 5:19 PM 20992]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [6/23/2008 8:28 PM 208896]
R3 portio32;portio32;c:\windows\System32\drivers\portio32.sys [11/23/2009 1:15 PM 2048]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/4/2009 9:46 PM 25832]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [10/23/2009 2:03 AM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\System32\drivers\KMWDFILTER.sys [4/29/2009 3:37 PM 17024]
S3 PsSdk41;PsSdk41;c:\windows\System32\drivers\pssdk41.sys [11/17/2009 11:59 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [7/13/2009 4:13 PM 661504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\
FF - component: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2009-12-16 01:05:06
ComboFix-quarantined-files.txt 2009-12-16 07:05
ComboFix2.txt 2009-12-16 05:49

Pre-Run: 805,950,005,248 bytes free
Post-Run: 805,900,394,496 bytes free

- - End Of File - - 7A379EB12926C153C4E75699FA0D74A8
Upload was successful

#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 16 December 2009 - 02:20 AM

Thanks for letting me know. :(

One more time. Open notepad and copy/paste the text in the code box below into it:



http://www.bleepingcomputer.com/forums/ind...t&p=1539094

Collect::
c:\windows\System32\config\systemprofile\ntload.dll

Reboot::


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 01:35 PM

I apologize for the late reply I fall asleep during the kapersky scan :(
It seems like the computer is a bit better. Those fake internet security 2010 things are gone.
Here are both reports

ComboFix 09-12-15.01 - Oscar 12/16/2009 1:39.3.1 - x86
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.2046.1172 [GMT -6:00]
Running from: c:\users\Oscar\Desktop\KittyFix.exe
Command switches used :: c:\users\Oscar\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\config\systemprofile\ntload.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-16 08:05 . 2009-12-16 08:06 -------- d-----w- c:\users\Oscar\AppData\Local\temp
2009-12-16 08:05 . 2009-12-16 08:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-16 08:05 . 2009-12-16 08:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-16 08:05 . 2009-12-16 08:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-14 22:08 . 2009-12-14 22:08 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll
2009-12-14 20:25 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-14 20:25 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-14 20:25 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-14 20:25 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-14 20:25 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-14 20:25 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-14 20:25 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-14 20:25 . 2009-12-14 20:25 -------- d-----w- c:\program files\Alwil Software
2009-12-14 18:18 . 2009-12-14 18:18 29696 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
2009-12-14 18:18 . 2009-12-14 18:18 15001 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
2009-12-14 18:18 . 2009-12-14 18:18 15000 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{E55E51D1-D3C8-CEA2-17E7-2420185D003E}-to5ffztij8.dll
2009-12-14 18:08 . 2009-12-14 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Yahoo!
2009-12-11 19:59 . 2009-12-11 19:59 -------- d-----w- c:\program files\Trend Micro
2009-12-11 10:12 . 2009-12-11 10:12 132096 --sha-r- c:\windows\system32\propsys3.dll
2009-12-11 10:07 . 2009-12-11 10:07 117760 ----a-w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-11 08:57 . 2009-12-11 08:57 -------- d-----w- c:\users\Oscar\AppData\Local\Diagnostics
2009-12-10 18:05 . 2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL
2009-12-09 01:48 . 2009-11-21 00:21 52224 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
2009-12-09 01:48 . 2009-11-21 00:21 114688 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\npmozax.dll
2009-12-08 05:51 . 2009-12-08 05:52 -------- d-----w- c:\users\Oscar\AppData\Local\Microsoft Games
2009-12-06 13:16 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-06 13:16 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iPod
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iTunes
2009-12-06 13:15 . 2009-12-06 13:15 -------- d-----w- c:\program files\QuickTime
2009-12-05 08:38 . 2009-12-05 08:38 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 03:48 . 2009-10-11 10:17 55072 ----a-w- c:\windows\system32\jureg.exe
2009-12-03 21:51 . 2009-12-03 21:51 111616 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{115D9FE6-030A-6AB2-29B2-3F69DFFD1DAB}-svchost.exe
2009-11-30 08:44 . 2009-12-12 05:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\dvdcss
2009-11-26 09:31 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 04:12 . 2009-11-26 04:12 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
2009-11-26 04:12 . 2009-11-26 04:12 836464 ----a-w- c:\programdata\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-11-26 04:11 . 2009-11-06 15:20 34112 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-26 04:11 . 2009-11-06 15:20 32448 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-26 04:11 . 2009-11-06 15:20 22352 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-24 15:01 . 2007-02-02 17:26 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll
2009-11-24 15:01 . 2007-02-02 17:27 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2009-11-24 00:54 . 2009-11-24 00:54 30127432 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{1A89C850-49D9-E4A7-41B6-0CDFE249C489}-fm.exe
2009-11-24 00:53 . 2009-11-24 00:53 -------- d-----w- c:\program files\Prolific
2009-11-24 00:53 . 2007-08-01 00:45 76800 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2009-11-23 19:59 . 2009-12-01 23:38 -------- d-----w- c:\users\Oscar\AppData\Local\ApplicationHistory
2009-11-23 19:59 . 2009-11-23 19:59 93 ----a-w- c:\users\Oscar\AppData\Local\fusioncache.dat
2009-11-23 19:15 . 2004-07-14 16:51 2048 ----a-w- c:\windows\system32\drivers\portio32.sys
2009-11-23 19:15 . 2004-07-14 16:51 19968 ----a-w- c:\windows\system32\portio32.dll
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\users\Oscar\Office Genuine Advantage
2009-11-19 03:31 . 2009-12-12 09:09 -------- d-----w- c:\users\Oscar\AppData\Roaming\vlc
2009-11-18 05:59 . 2009-11-18 05:59 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-11-18 02:31 . 2009-11-18 05:59 -------- d-----w- c:\users\Oscar\AppData\Roaming\XLink Kai
2009-11-18 02:28 . 2009-11-18 02:28 2469888 ----a-r- c:\users\Oscar\AppData\Roaming\Microsoft\Installer\{2773B836-AC66-4178-A414-C5A0F9F5D805}\kaiEngine.exe
2009-11-18 02:28 . 2009-11-18 02:28 -------- d-----w- c:\program files\XLink Kai
2009-11-17 04:51 . 2009-11-17 04:51 -------- d-----w- c:\users\Oscar\AppData\Local\ElevatedDiagnostics
2009-11-16 08:35 . 2009-11-16 08:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\CyberLink
2009-11-16 08:35 . 2009-11-16 08:35 134416 ----a-w- c:\users\Oscar\AppData\Local\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 08:06 . 2009-10-18 00:09 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 00:11 . 2009-10-19 03:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\uTorrent
2009-12-11 10:06 . 2009-10-17 22:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-11 08:58 . 2009-10-19 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 03:07 . 2009-10-19 04:29 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 17:10 . 2009-10-19 03:03 -------- d-----w- c:\users\Oscar\AppData\Roaming\Apple Computer
2009-12-06 15:53 . 2009-10-19 15:36 -------- d-----w- c:\users\Oscar\AppData\Roaming\LimeWire
2009-12-06 13:16 . 2009-10-19 02:44 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 13:15 . 2009-10-19 02:46 -------- d-----w- c:\programdata\Apple Computer
2009-12-04 03:48 . 2007-08-31 12:10 -------- d-----w- c:\program files\Java
2009-12-03 22:14 . 2009-10-19 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-10-19 03:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 08:01 . 2009-11-13 19:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\abgx360
2009-11-26 18:16 . 2009-10-19 17:30 -------- d-----w- c:\programdata\NOS
2009-11-24 15:01 . 2007-08-31 12:48 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-24 00:53 . 2007-08-31 11:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 08:31 . 2009-11-21 08:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-16 08:35 . 2007-08-31 12:03 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:16 . 2009-11-15 08:37 -------- d-----w- c:\users\Oscar\AppData\Roaming\DVD Flick
2009-11-15 08:37 . 2009-11-15 08:37 -------- d-----w- c:\program files\DVD Flick
2009-11-13 20:23 . 2009-11-13 20:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-13 08:44 . 2009-11-13 08:44 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-13 08:39 . 2009-10-25 23:46 -------- d-----w- c:\users\Oscar\AppData\Roaming\Symantec
2009-11-13 08:39 . 2009-10-23 01:13 -------- d-----w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab
2009-11-13 08:39 . 2009-10-22 22:04 -------- d-----w- c:\users\Oscar\AppData\Roaming\WinBatch
2009-11-13 08:39 . 2009-10-18 01:20 -------- d-----w- c:\users\Oscar\AppData\Roaming\Yahoo!
2009-11-13 08:39 . 2009-11-11 04:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\Sports Interactive
2009-11-13 08:39 . 2009-10-28 14:20 -------- d--h--r- c:\users\Oscar\AppData\Roaming\SecuROM
2009-11-13 08:39 . 2009-10-19 03:10 -------- d-----w- c:\users\Oscar\AppData\Roaming\Malwarebytes
2009-11-13 08:39 . 2009-10-21 02:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\ImgBurn
2009-11-13 08:39 . 2009-10-18 01:40 -------- d-----w- c:\users\Oscar\AppData\Roaming\GetRightToGo
2009-11-13 08:39 . 2009-10-17 21:28 -------- d-----w- c:\users\Oscar\AppData\Roaming\Hewlett-Packard
2009-11-13 08:39 . 2009-10-18 02:39 -------- d-----w- c:\users\Oscar\AppData\Roaming\EA
2009-11-13 08:30 . 2009-11-09 07:32 -------- dc-h--w- c:\programdata\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-11-13 08:30 . 2009-10-19 03:02 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 08:30 . 2009-10-18 01:20 -------- d-----w- c:\programdata\Yahoo! Companion
2009-11-13 08:30 . 2007-08-31 12:25 -------- d--h--w- c:\programdata\yahoo!
2009-11-13 08:27 . 2009-11-11 04:44 -------- d-----w- c:\program files\Sports Interactive
2009-11-13 08:27 . 2007-08-31 11:55 -------- d-----w- c:\program files\Roxio
2009-11-13 08:27 . 2007-08-31 12:05 -------- d-----w- c:\program files\Rhapsody
2009-11-13 08:27 . 2009-11-13 08:16 -------- d-----w- c:\program files\Realtek
2009-11-13 08:27 . 2007-08-31 12:06 -------- d-----w- c:\program files\Real
2009-11-13 08:27 . 2009-11-07 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-13 08:27 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-11-13 08:27 . 2007-08-31 12:07 -------- d-----w- c:\program files\muvee Technologies
2009-11-13 08:27 . 2009-10-19 04:35 -------- d-----w- c:\program files\Microsoft.NET
2009-11-13 08:27 . 2007-08-31 12:12 -------- d-----w- c:\program files\Microsoft Works
2009-11-13 08:27 . 2009-10-23 08:01 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-13 08:27 . 2009-10-19 04:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-13 08:27 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-13 08:26 . 2009-10-25 22:05 -------- d-----w- c:\program files\Keyboard & Mouse Driver
2009-11-13 08:26 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft
2009-11-13 08:26 . 2009-10-19 15:27 -------- d-----w- c:\program files\LimeWire
2009-11-13 08:26 . 2009-10-18 08:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-13 08:26 . 2009-10-21 02:32 -------- d-----w- c:\program files\ImgBurn
2009-11-13 08:26 . 2007-08-31 11:49 -------- d-----w- c:\program files\HP Games
2009-11-13 08:23 . 2007-08-31 11:53 -------- d-----w- c:\program files\HP
2009-11-13 08:23 . 2007-08-31 11:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-13 08:23 . 2009-11-08 18:17 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-13 08:22 . 2009-10-28 14:50 -------- d-----w- c:\program files\GameSpy
2009-11-13 08:22 . 2009-10-28 14:27 -------- d-----w- c:\program files\Electronic Arts
2009-11-13 08:22 . 2007-08-31 12:22 -------- d-----w- c:\program files\earthlink totalaccess
2009-11-13 08:21 . 2009-11-05 03:38 -------- d-----w- c:\program files\Dragon Age
2009-11-13 08:21 . 2009-10-18 01:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-13 08:21 . 2007-08-31 11:25 -------- d-----w- c:\program files\CONEXANT
2009-11-13 08:21 . 2009-10-31 06:09 -------- d-----w- c:\program files\Common Files\Steam
2009-11-13 08:21 . 2007-08-31 12:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-13 08:21 . 2007-08-31 11:55 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 11:37 . 2009-11-11 11:37 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-10 05:47 . 2009-10-19 20:22 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 05:47 . 2009-10-19 20:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 07:49 . 2009-10-19 20:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-09 07:42 . 2009-11-08 19:20 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-28 04:28 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-09 07:16 . 2009-11-09 07:16 1136 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-08 21:52 . 2007-08-31 11:41 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 02:42 . 2009-10-17 21:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 02:42 . 2009-10-24 02:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-10-20 06:36 . 2009-10-20 06:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-20 00:39 . 2009-10-20 00:39 177024 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\FlashGot.exe
2009-10-19 21:22 . 2009-10-19 21:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Oscar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-19 17:31 . 2009-10-19 17:31 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-10-18 02:39 . 2009-10-18 02:39 175616 ----a-w- c:\users\Oscar\AppData\Roaming\EA\EASW\GameFace\unrar64_nocrypt.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-16_05.45.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2009-12-16 05:47 35288 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-13 08:18 . 2009-12-16 08:07 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-13 08:18 . 2009-12-16 05:45 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-16 06:29 . 2009-12-16 08:07 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2009-12-16 05:45 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2009-12-16 08:07 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-13 20:32 . 2009-12-16 08:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-13 20:32 . 2009-12-16 08:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 20:32 . 2009-12-16 08:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-13 11:12 . 2009-12-16 08:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 08:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 08:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-14 00:03 . 2009-12-16 08:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-11-13 11:12 . 2009-12-16 08:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 11:12 . 2009-12-16 08:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-23 19:30 . 2009-12-16 08:05 2590 c:\windows\System32\wdi\ERCQueuedResolutions.dat
+ 2009-11-13 20:38 . 2009-12-16 05:47 7116 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1842487324-1744856576-3749998290-1000_UserData.bin
- 2009-12-16 05:20 . 2009-12-16 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-16 05:20 . 2009-12-16 08:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-16 05:20 . 2009-12-16 08:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-16 05:20 . 2009-12-16 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 626794 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-16 05:49 626794 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 108366 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2009-12-16 05:49 108366 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 18:05 57856 ----a-w- c:\programdata\Adobe\sp.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KMCONFIG"="c:\program files\Keyboard & Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
2007-07-04 02:19 94208 ----a-w- c:\program files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-05-24 20:13 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-06-01 20:40 1783400 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-31 06:10 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/14/2009 2:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/14/2009 2:25 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/14/2009 2:25 PM 53328]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [7/13/2009 5:19 PM 20992]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [6/23/2008 8:28 PM 208896]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [7/13/2009 5:19 PM 20992]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [9/27/2009 4:48 PM 240232]
R3 portio32;portio32;c:\windows\System32\drivers\portio32.sys [11/23/2009 1:15 PM 2048]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/4/2009 9:46 PM 25832]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [10/23/2009 2:03 AM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\System32\drivers\KMWDFILTER.sys [4/29/2009 3:37 PM 17024]
S3 PsSdk41;PsSdk41;c:\windows\System32\drivers\pssdk41.sys [11/17/2009 11:59 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [7/13/2009 4:13 PM 661504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\
FF - component: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-notepad - c:\windows\system32\config\SYSTEM~1\ntload.dll


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3036)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\RtHDVCpl.exe
c:\program files\Keyboard & Mouse Driver\KMConfig.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Keyboard & Mouse Driver\KMProcess.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\jusched.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-12-16 02:11:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-16 08:11
ComboFix2.txt 2009-12-16 07:07
ComboFix3.txt 2009-12-16 05:49

Pre-Run: 805,948,649,472 bytes free
Post-Run: 805,902,368,768 bytes free

- - End Of File - - 671AB2EB284B30B33DBA43E8980ABAE3




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 16, 2009
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 16, 2009 08:22:30
Records in database: 3377558
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 185101
Threats found: 14
Infected objects found: 28
Suspicious objects found: 0
Scan duration: 04:13:40


File name / Threat / Threats count
c:\programdata\adobe\sp.dll/c:\programdata\adobe\sp.dll Infected: Trojan-Proxy.Win32.Agent.byn 2
C:\ProgramData\Adobe\sp.DLL Infected: Trojan-Proxy.Win32.Agent.byn 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll Infected: Trojan.Win32.Pakes.nst 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe Infected: Trojan.Win32.Agent.ddod 1
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll Infected: Trojan.Win32.Pakes.nst 1
C:\Qoobox\Quarantine\C\dens.exe.vir Infected: Trojan.Win32.Vilsel.pmb 1
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir Infected: Trojan.Win32.FraudPack.aedj 1
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Pakes.nst 1
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\ntload.dll.vir Infected: Trojan.Win32.Pakes.nst 1
C:\Qoobox\Quarantine\C\Windows\System32\critical_warning.html.vir Infected: Trojan.JS.Hoax.b 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\nvstor32.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\Windows\System32\msilojzb.dll.vir Infected: Trojan-GameThief.Win32.WOW.vne 1
C:\Qoobox\Quarantine\C\Windows\System32\notepad.dll.vir Infected: Trojan.Win32.Pakes.nst 1
C:\Qoobox\Quarantine\C\Windows\System32\winhelper86.dll.vir Infected: Trojan-Ransom.Win32.Agent.iv 1
C:\Qoobox\Quarantine\C\Windows\System32\winlogon86.exe.vir Infected: Trojan.Win32.Vilsel.pmb 1
C:\Qoobox\Quarantine\C\Windows\System32\winupdate86.exe.vir Infected: Trojan.Win32.Vilsel.pmb 1
C:\Qoobox\Quarantine\[4]-Submit_2009-12-16_00.37.46.zip Infected: Trojan.Win32.Vilsel.pmb 1
C:\UBCD4Win\UBCD\PROGRAMS\Crossloop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\UBCD4Win\UBCD\PROGRAMS\Crossloop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\UBCD4Win\UBCD\PROGRAMS\mbrfix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\UBCD4Win\UBCD\PROGRAMS\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
C:\UBCD4Win\UBCD\PROGRAMS\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\UBCD4Win\UBCD\PROGRAMS\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\Users\All Users\Adobe\sp.DLL Infected: Trojan-Proxy.Win32.Agent.byn 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll Infected: Trojan.Win32.Pakes.nst 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe Infected: Trojan.Win32.Agent.ddod 1
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll Infected: Trojan.Win32.Pakes.nst 1

Selected area has been scanned.

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 16 December 2009 - 04:56 PM

No worries, I knew it would take several hours. :(

Open notepad and copy/paste the text in the code box below into it:

h[i]tt[/i]p://www.bleepingcomputer.com/forums/index.php?showtopic=278085&view=findpost&p=1539687

Collect::
C:\ProgramData\Adobe\sp.DLL
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll
C:\Users\All Users\Adobe\sp.DLL
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
C:\Users\All Users\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll

Folder::
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}
C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Please return with the C:\ComboFix.txt and another update on system behavior.

Edited by Ried, 16 December 2009 - 04:57 PM.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#13 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 06:24 PM

Ok here is the log. I also wanted to tell you that before I saw your post I was trying to refresh this page to check out if you had replied and I received a blue screen but I was unable to catch the error code. I dont know if it is related to this or due to another reason.

ComboFix 09-12-15.01 - Oscar 12/16/2009 16:34:00.4.1 - x86
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.2046.1519 [GMT -6:00]
Running from: c:\users\Oscar\Desktop\KittyFix.exe
Command switches used :: c:\users\Oscar\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

file zipped: c:\programdata\Adobe\sp.DLL
file zipped: c:\programdata\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
file zipped: c:\programdata\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
file zipped: c:\programdata\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Adobe\sp.DLL
c:\programdata\Microsoft\Windows Defender\LocalCopy\{4060B1C2-3A44-94F4-FB32-5448E0507D8A}-ntload.dll
c:\programdata\Microsoft\Windows Defender\LocalCopy\{4AE9CC26-5A5C-3FBF-1054-1690D48122F1}-evo1bqj8.exe
c:\programdata\Microsoft\Windows Defender\LocalCopy\{FA47367E-418B-5AB7-4FA1-32E8334A0DF9}-notepad.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-16 22:57 . 2009-12-16 23:06 -------- d-----w- c:\users\Oscar\AppData\Local\temp
2009-12-16 22:57 . 2009-12-16 22:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-12-16 22:57 . 2009-12-16 22:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-16 22:57 . 2009-12-16 22:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-16 08:12 . 2009-12-16 08:12 -------- d-----w- c:\windows\Sun
2009-12-14 20:25 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-14 20:25 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-14 20:25 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-14 20:25 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-14 20:25 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-14 20:25 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-14 20:25 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-14 20:25 . 2009-12-14 20:25 -------- d-----w- c:\program files\Alwil Software
2009-12-14 18:18 . 2009-12-14 18:18 15000 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{E55E51D1-D3C8-CEA2-17E7-2420185D003E}-to5ffztij8.dll
2009-12-14 18:08 . 2009-12-14 18:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Yahoo!
2009-12-11 19:59 . 2009-12-11 19:59 -------- d-----w- c:\program files\Trend Micro
2009-12-11 10:12 . 2009-12-11 10:12 132096 --sha-r- c:\windows\system32\propsys3.dll
2009-12-11 10:07 . 2009-12-11 10:07 117760 ----a-w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\users\Oscar\AppData\Roaming\SUPERAntiSpyware.com
2009-12-11 10:06 . 2009-12-11 10:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-11 08:57 . 2009-12-11 08:57 -------- d-----w- c:\users\Oscar\AppData\Local\Diagnostics
2009-12-09 01:48 . 2009-11-21 00:21 52224 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
2009-12-09 01:48 . 2009-11-21 00:21 114688 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\npmozax.dll
2009-12-08 05:51 . 2009-12-08 05:52 -------- d-----w- c:\users\Oscar\AppData\Local\Microsoft Games
2009-12-06 13:16 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-06 13:16 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iPod
2009-12-06 13:16 . 2009-12-06 13:16 -------- d-----w- c:\program files\iTunes
2009-12-06 13:15 . 2009-12-06 13:15 -------- d-----w- c:\program files\QuickTime
2009-12-05 08:38 . 2009-12-05 08:38 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-04 03:48 . 2009-10-11 10:17 55072 ----a-w- c:\windows\system32\jureg.exe
2009-12-03 21:51 . 2009-12-03 21:51 111616 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{115D9FE6-030A-6AB2-29B2-3F69DFFD1DAB}-svchost.exe
2009-11-30 08:44 . 2009-12-12 05:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\dvdcss
2009-11-26 09:31 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-26 04:12 . 2009-11-26 04:12 1925024 ----a-w- c:\programdata\NOS\Adobe_Downloads\install_flash_player.exe
2009-11-26 04:12 . 2009-11-26 04:12 836464 ----a-w- c:\programdata\NOS\Adobe_Downloads\SecurityScan_Release.exe
2009-11-26 04:11 . 2009-11-06 15:20 34112 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-26 04:11 . 2009-11-06 15:20 32448 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-26 04:11 . 2009-11-06 15:20 22352 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-24 15:01 . 2007-02-02 17:26 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll
2009-11-24 15:01 . 2007-02-02 17:27 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2009-11-24 00:54 . 2009-11-24 00:54 30127432 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{1A89C850-49D9-E4A7-41B6-0CDFE249C489}-fm.exe
2009-11-24 00:53 . 2009-11-24 00:53 -------- d-----w- c:\program files\Prolific
2009-11-24 00:53 . 2007-08-01 00:45 76800 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2009-11-23 19:59 . 2009-12-01 23:38 -------- d-----w- c:\users\Oscar\AppData\Local\ApplicationHistory
2009-11-23 19:59 . 2009-11-23 19:59 93 ----a-w- c:\users\Oscar\AppData\Local\fusioncache.dat
2009-11-23 19:15 . 2004-07-14 16:51 2048 ----a-w- c:\windows\system32\drivers\portio32.sys
2009-11-23 19:15 . 2004-07-14 16:51 19968 ----a-w- c:\windows\system32\portio32.dll
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-20 00:40 . 2009-11-20 00:40 -------- d-----w- c:\users\Oscar\Office Genuine Advantage
2009-11-19 03:31 . 2009-12-12 09:09 -------- d-----w- c:\users\Oscar\AppData\Roaming\vlc
2009-11-18 05:59 . 2009-11-18 05:59 36928 ----a-w- c:\windows\system32\drivers\pssdk41.sys
2009-11-18 02:31 . 2009-11-18 05:59 -------- d-----w- c:\users\Oscar\AppData\Roaming\XLink Kai
2009-11-18 02:28 . 2009-11-18 02:28 2469888 ----a-r- c:\users\Oscar\AppData\Roaming\Microsoft\Installer\{2773B836-AC66-4178-A414-C5A0F9F5D805}\kaiEngine.exe
2009-11-18 02:28 . 2009-11-18 02:28 -------- d-----w- c:\program files\XLink Kai
2009-11-17 04:51 . 2009-11-17 04:51 -------- d-----w- c:\users\Oscar\AppData\Local\ElevatedDiagnostics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 23:06 . 2009-10-18 00:09 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 00:11 . 2009-10-19 03:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\uTorrent
2009-12-11 10:06 . 2009-10-17 22:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-11 08:58 . 2009-10-19 03:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 03:07 . 2009-10-19 04:29 -------- d-----w- c:\programdata\Microsoft Help
2009-12-06 17:10 . 2009-10-19 03:03 -------- d-----w- c:\users\Oscar\AppData\Roaming\Apple Computer
2009-12-06 15:53 . 2009-10-19 15:36 -------- d-----w- c:\users\Oscar\AppData\Roaming\LimeWire
2009-12-06 13:16 . 2009-10-19 02:44 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 13:15 . 2009-10-19 02:46 -------- d-----w- c:\programdata\Apple Computer
2009-12-04 03:48 . 2007-08-31 12:10 -------- d-----w- c:\program files\Java
2009-12-03 22:14 . 2009-10-19 03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-10-19 03:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 08:01 . 2009-11-13 19:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\abgx360
2009-11-26 18:16 . 2009-10-19 17:30 -------- d-----w- c:\programdata\NOS
2009-11-24 15:01 . 2007-08-31 12:48 -------- d-----w- c:\programdata\Hewlett-Packard
2009-11-24 00:53 . 2007-08-31 11:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-21 08:31 . 2009-11-21 08:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-16 08:35 . 2009-11-16 08:35 -------- d-----w- c:\users\Oscar\AppData\Roaming\CyberLink
2009-11-16 08:35 . 2007-08-31 12:03 -------- d-----w- c:\programdata\CyberLink
2009-11-16 08:35 . 2009-11-16 08:35 134416 ----a-w- c:\users\Oscar\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-16 08:16 . 2009-11-15 08:37 -------- d-----w- c:\users\Oscar\AppData\Roaming\DVD Flick
2009-11-15 08:37 . 2009-11-15 08:37 -------- d-----w- c:\program files\DVD Flick
2009-11-13 20:23 . 2009-11-13 20:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2009-11-13 08:44 . 2009-11-13 08:44 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-13 08:39 . 2009-10-25 23:46 -------- d-----w- c:\users\Oscar\AppData\Roaming\Symantec
2009-11-13 08:39 . 2009-10-23 01:13 -------- d-----w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab
2009-11-13 08:39 . 2009-10-22 22:04 -------- d-----w- c:\users\Oscar\AppData\Roaming\WinBatch
2009-11-13 08:39 . 2009-10-18 01:20 -------- d-----w- c:\users\Oscar\AppData\Roaming\Yahoo!
2009-11-13 08:39 . 2009-11-11 04:47 -------- d-----w- c:\users\Oscar\AppData\Roaming\Sports Interactive
2009-11-13 08:39 . 2009-10-28 14:20 -------- d--h--r- c:\users\Oscar\AppData\Roaming\SecuROM
2009-11-13 08:39 . 2009-10-19 03:10 -------- d-----w- c:\users\Oscar\AppData\Roaming\Malwarebytes
2009-11-13 08:39 . 2009-10-21 02:34 -------- d-----w- c:\users\Oscar\AppData\Roaming\ImgBurn
2009-11-13 08:39 . 2009-10-18 01:40 -------- d-----w- c:\users\Oscar\AppData\Roaming\GetRightToGo
2009-11-13 08:39 . 2009-10-17 21:28 -------- d-----w- c:\users\Oscar\AppData\Roaming\Hewlett-Packard
2009-11-13 08:39 . 2009-10-18 02:39 -------- d-----w- c:\users\Oscar\AppData\Roaming\EA
2009-11-13 08:30 . 2009-11-09 07:32 -------- dc-h--w- c:\programdata\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-11-13 08:30 . 2009-10-19 03:02 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-13 08:30 . 2009-10-18 01:20 -------- d-----w- c:\programdata\Yahoo! Companion
2009-11-13 08:30 . 2007-08-31 12:25 -------- d--h--w- c:\programdata\yahoo!
2009-11-13 08:27 . 2009-11-11 04:44 -------- d-----w- c:\program files\Sports Interactive
2009-11-13 08:27 . 2007-08-31 11:55 -------- d-----w- c:\program files\Roxio
2009-11-13 08:27 . 2007-08-31 12:05 -------- d-----w- c:\program files\Rhapsody
2009-11-13 08:27 . 2009-11-13 08:16 -------- d-----w- c:\program files\Realtek
2009-11-13 08:27 . 2007-08-31 12:06 -------- d-----w- c:\program files\Real
2009-11-13 08:27 . 2009-11-07 09:55 -------- d-----w- c:\program files\NVIDIA Corporation
2009-11-13 08:27 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2009-11-13 08:27 . 2007-08-31 12:07 -------- d-----w- c:\program files\muvee Technologies
2009-11-13 08:27 . 2009-10-19 04:35 -------- d-----w- c:\program files\Microsoft.NET
2009-11-13 08:27 . 2007-08-31 12:12 -------- d-----w- c:\program files\Microsoft Works
2009-11-13 08:27 . 2009-10-23 08:01 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-13 08:27 . 2009-10-19 04:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-13 08:27 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-13 08:26 . 2009-10-25 22:05 -------- d-----w- c:\program files\Keyboard & Mouse Driver
2009-11-13 08:26 . 2009-10-22 20:45 -------- d-----w- c:\program files\Microsoft
2009-11-13 08:26 . 2009-10-19 15:27 -------- d-----w- c:\program files\LimeWire
2009-11-13 08:26 . 2009-10-18 08:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-13 08:26 . 2009-10-21 02:32 -------- d-----w- c:\program files\ImgBurn
2009-11-13 08:26 . 2007-08-31 11:49 -------- d-----w- c:\program files\HP Games
2009-11-13 08:23 . 2007-08-31 11:53 -------- d-----w- c:\program files\HP
2009-11-13 08:23 . 2007-08-31 11:33 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-13 08:23 . 2009-11-08 18:17 -------- d-----w- c:\program files\Guitar Pro 5
2009-11-13 08:22 . 2009-10-28 14:50 -------- d-----w- c:\program files\GameSpy
2009-11-13 08:22 . 2009-10-28 14:27 -------- d-----w- c:\program files\Electronic Arts
2009-11-13 08:22 . 2007-08-31 12:22 -------- d-----w- c:\program files\earthlink totalaccess
2009-11-13 08:21 . 2009-11-05 03:38 -------- d-----w- c:\program files\Dragon Age
2009-11-13 08:21 . 2009-10-18 01:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-13 08:21 . 2007-08-31 11:25 -------- d-----w- c:\program files\CONEXANT
2009-11-13 08:21 . 2009-10-31 06:09 -------- d-----w- c:\program files\Common Files\Steam
2009-11-13 08:21 . 2007-08-31 12:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-13 08:21 . 2007-08-31 11:55 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-11-13 08:21 . 2007-08-31 11:54 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 11:37 . 2009-11-11 11:37 2542458 ----a-w- c:\windows\system32\abgx360.exe
2009-11-10 05:47 . 2009-10-19 20:22 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-10 05:47 . 2009-10-19 20:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-09 07:49 . 2009-10-19 20:22 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-11-09 07:42 . 2009-11-08 19:20 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-19 20:22 22328 ----a-w- c:\users\Oscar\AppData\Roaming\PnkBstrK.sys
2009-11-09 07:32 . 2009-10-28 04:28 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-11-09 07:16 . 2009-11-09 07:16 1136 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-11-08 21:52 . 2007-08-31 11:41 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-11-07 09:43 . 2009-11-07 09:43 290816 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-03 08:28 . 2009-11-03 08:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 02:42 . 2009-10-17 21:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 02:42 . 2009-10-24 02:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-23 01:13 . 2009-10-23 01:13 138240 ----a-w- c:\users\Oscar\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-10-20 06:36 . 2009-10-20 06:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-20 00:39 . 2009-10-20 00:39 177024 ----a-w- c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\FlashGot.exe
2009-10-19 21:22 . 2009-10-19 21:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Oscar\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-19 17:53 . 2009-10-19 17:53 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-16_05.45.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2009-12-16 22:15 35656 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-11-13 08:18 . 2009-12-16 23:06 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-13 08:18 . 2009-12-16 05:45 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-16 23:06 . 2009-12-16 23:06 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2009-12-16 05:45 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2009-12-16 23:06 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-13 20:32 . 2009-12-16 23:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 20:32 . 2009-12-16 23:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 20:32 . 2009-12-16 23:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 20:32 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-13 11:12 . 2009-12-16 23:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 23:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 23:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-11-14 00:03 . 2009-12-16 23:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-14 00:03 . 2009-12-16 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-13 11:12 . 2009-12-16 23:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-13 11:12 . 2009-12-16 05:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-13 11:12 . 2009-12-16 23:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-23 19:30 . 2009-12-16 08:05 2590 c:\windows\System32\wdi\ERCQueuedResolutions.dat
+ 2009-11-13 20:38 . 2009-12-16 22:15 7288 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1842487324-1744856576-3749998290-1000_UserData.bin
+ 2009-12-16 05:20 . 2009-12-16 23:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-16 05:20 . 2009-12-16 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-16 05:20 . 2009-12-16 23:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-16 05:20 . 2009-12-16 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 626794 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2009-12-16 22:17 626794 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2009-12-16 05:24 108366 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2009-12-16 22:17 108366 c:\windows\System32\perfc009.dat
- 2009-07-14 02:03 . 2009-12-16 05:33 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:03 . 2009-12-16 16:08 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KMCONFIG"="c:\program files\Keyboard & Mouse Driver\StartAutorun.exe" [2008-05-30 212992]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
2007-07-04 02:19 94208 ----a-w- c:\program files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-05-24 20:13 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-06-01 20:40 1783400 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-10-31 06:10 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [12/14/2009 2:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [12/14/2009 2:25 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [12/14/2009 2:25 PM 53328]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [7/13/2009 5:19 PM 20992]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Keyboard & Mouse Driver\KMWDSrv.exe [6/23/2008 8:28 PM 208896]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [9/27/2009 4:48 PM 240232]
R3 portio32;portio32;c:\windows\System32\drivers\portio32.sys [11/23/2009 1:15 PM 2048]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/4/2009 9:46 PM 25832]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [10/23/2009 2:03 AM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\System32\drivers\KMWDFILTER.sys [4/29/2009 3:37 PM 17024]
S3 PsSdk41;PsSdk41;c:\windows\System32\drivers\pssdk41.sys [11/17/2009 11:59 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [7/13/2009 4:13 PM 661504]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [7/13/2009 4:13 PM 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [7/13/2009 4:13 PM 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
netsvc REG_MULTI_SZ SPService M
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\
FF - component: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{ef468e5b-5b30-4136-a833-7f2e3a31afdf}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\users\Oscar\AppData\Roaming\Mozilla\Firefox\Profiles\1xitc5ci.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - c:\programdata\adobe\sp.dll


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1652)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Keyboard & Mouse Driver\KMConfig.exe
c:\program files\Keyboard & Mouse Driver\KMProcess.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\jusched.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-12-16 17:10:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-16 23:10
ComboFix2.txt 2009-12-16 08:11
ComboFix3.txt 2009-12-16 07:07
ComboFix4.txt 2009-12-16 05:49

Pre-Run: 805,524,729,856 bytes free
Post-Run: 805,391,327,232 bytes free

- - End Of File - - A3A6B297DC0CE837FB08558DD15C643D
Upload was successful

#14 Oscarespinosa07

Oscarespinosa07
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 December 2009 - 08:45 PM

I received once again another blue screen but again it passed to fast for me to catch anything. This time it happened as i was opening IE

#15 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 16 December 2009 - 11:02 PM

Hi Oscarespinosa07,

Open notepad and copy/paste the text in the code box below into it:

File::
c:\programdata\Microsoft\Windows Defender\LocalCopy\{E55E51D1-D3C8-CEA2-17E7-2420185D003E}-to5ffztij8.dll
c:\windows\system32\propsys3.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please post the C:\ComboFix.txt

Still getting blue screen?

Edited by Ried, 16 December 2009 - 11:04 PM.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users