Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple malware/viral infections (including 4dw4r3?)


  • This topic is locked This topic is locked
27 replies to this topic

#1 Teafan

Teafan

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 25 February 2010 - 05:37 PM

My father-in-lawís PC (running XP SP3) has become infected with all kinds of malware/viruses and Iíve dealt with some of it but canít get any further. Iíll start by describing what the original symptoms were and now where I am with it. (Sorry for the length, but I guess you can never have too much information.)

History:
On boot-up met by the well-known control-centre virus. When Windows was fully loaded background wallpaper was changed to a message saying machine was infected by some virus/malware. Right-clicking on the taskbar showed that task manager was unavailable. Trying to open regedit.exe resulted in a message saying locked by administrator. Also it was impossible to change wallpaper using rightclick. Regular error messages were shown about processes that have been stopped (typically, but not exclusively, wmpscfgs.exe and acrotray .exe) [intentional space in that last one] and these repeatedly arose every few minutes. I tried to install MBAM but was unable to do so. Instead I burnt a-squared (obtained from publishers website) onto a CD and ran it from that. This picked up a lot of infections (bredolab, fraudload, dropper, VBNA, inject, JS.Gord, Tdss, dropper.pincher, gen.trojan, cryptor, patched, FakeMS, alureon, spy.platte, HTML.Fakinit to list a few from the log!) and tried to clean them. It got rid of the control-centre problem and allowed me to access Task Manager but not regedit nor change wallpaper. A virus scan (using AVG free version with recent definition files) found a couple instances of vundo (including in explorer.exe) and said windows needed to be rebooted to complete clean.

Current State:
Windows can only start in normal mode (trying safe mode produces a black screen with a stream of white text which is difficult to read and then windows restarts). In normal mode, windows gets to the point which I believe is just prior to explorer.exe launching where it stalls. By manually launching explorer.exe from Task Manager, the taskbar and various icons do load (through sometimes windows immediately crashes and sometimes gives me a different set of icons from the ones I was expecting). Once loaded, the wallpaper has been replaced by the active desktop recovery window and Iím unable to change it by rightclicking (regedit is still locked by administrator). I also note that Iíve no option to view hidden files through windows explorer. The task bar shows a small number of (what are to me) suspicious processes running including wmpscfgs.exe (although only occasionally), edsloader .exe and qttask .exe [spaces are deliberate] while winlogon.exe is a major resource hogger once the computer has been running for a couple of minutes (>95% of CPU usage and running above normal priority that cannot be changed).

Iíve managed to get defogger working successfully on the machine (it took a few attempts mind).
MBAM (with recent definition file) has been installed and can start (but only by using the random name trick). However, after a few seconds the whole computer restarts itself (Iíve tried at least a dozen times with the same result).
Dds.scr has been installed and despite giving it various names (i.e. those suggested here) does not run for very long before being terminated (certainly no sign of a log file).
GMER has however run (although painfully slowly - log attached below- included twice since ark.txt appeared corrupted).

If anyone can sort this then Iíd be most grateful to say the least! I know youíre all very busy so Iíll be patient and not touch the machine any further without your instructions. (And if you can get anywhere with it Iíll be spending several hours with the father-in-law talking to him about how to look after his computer, i.e. donít click yes on every webpage he visits and the importance of scanning for malware regularlyÖ)

Many thanks in anticipation for your help,

Graeme

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 28 February 2010 - 08:50 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 28 February 2010 - 12:22 PM

Hi Elise,

Many thanks for your help on this matter. I've referred to this forum a few times in the past and been able to resolve my difficulties with needing further help. But this time I need an expert!

OTL ran successfully and the reports are below. GMER would not complete its scan with all the boxes checked - it started hanging on atapi.sys with the message "the process cannot access the file because it is being used by another process." At this point the entire machine froze and not even the clock was updated. I tried a number of times with the same result. However, I had the results from a previous scan with the Sections and IAT/EAT unchecked and they are given below. (There have been no alterations in software between then and now other than any that may have been caused by running OTL and I cannot get the machine to boot in safe mode - see comments in original post.)

Many thanks,

Graeme


%%%%%%%%%%%%
%OTListIt.txt
%%%%%%%%%%%%

OTL logfile created on: 22/02/2010 07:21:16 - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\ROGER\Desktop\BLEEPINGCOMPUTER
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.00 Mb Total Physical Memory | 144.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.10 Gb Total Space | 7.22 Gb Free Space | 21.18% Space Free | Partition Type: NTFS
Drive D: | 34.57 Gb Total Space | 33.39 Gb Free Space | 96.57% Space Free | Partition Type: FAT32
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROGERPC
Current User Name: ROGER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/28 15:41:20 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ROGER\Desktop\BLEEPINGCOMPUTER\OTL.exe
PRC - [2010/02/22 07:19:00 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\rundll32.exe
PRC - [2010/02/19 14:01:17 | 000,056,320 | ---- | M] () -- C:\WINDOWS\system32\nwiz.exe
PRC - [2010/02/17 11:30:50 | 000,056,320 | ---- | M] () -- c:\Documents and Settings\ROGER\rundll32 .exe
PRC - [2010/02/16 15:33:12 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/16 15:33:11 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/02/16 15:33:11 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/02/16 15:33:11 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/02/16 15:33:03 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/16 00:55:13 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2010/01/01 03:45:13 | 000,135,664 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/29 12:41:26 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/11 22:19:00 | 000,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/05/11 23:22:48 | 000,028,672 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PRC - [2006/02/17 22:26:32 | 000,073,728 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe


========== Modules (SafeList) ==========

MOD - [2010/02/28 15:41:20 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ROGER\Desktop\BLEEPINGCOMPUTER\OTL.exe
MOD - [1601/01/01 00:03:52 | 000,052,736 | -HS- | M] () -- C:\WINDOWS\system32\yorerufo.dll
MOD - [1601/01/01 00:03:52 | 000,052,736 | -HS- | M] () -- C:\WINDOWS\system32\pazodoga.dll
MOD - [1601/01/01 00:03:28 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\system32\suteniro.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (a2free)
SRV - [2010/02/16 15:33:03 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/02/16 00:55:13 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2010/01/01 03:45:13 | 000,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/30 11:30:20 | 000,541,992 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/05/29 12:41:26 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/27 08:40:45 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/07/11 22:19:00 | 000,155,715 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/05/11 23:22:48 | 000,028,672 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService)
SRV - [2006/02/17 22:26:32 | 000,073,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- c:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2005/11/14 09:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/07/25 19:25:18 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device)


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 11:26:21 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\lmnuxmxn.sys -- (lmnuxmxn)
DRV - [2010/02/16 15:34:49 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/02/16 15:34:49 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/02/16 15:34:48 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/03/19 15:32:48 | 000,023,400 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/05/15 19:07:00 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD8\000.fcl -- ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054})
DRV - [2008/04/13 18:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 18:40:30 | 000,096,512 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 16:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 10:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/15 22:33:10 | 000,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/06/15 18:49:30 | 000,019,840 | R--- | M] (Generic) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\StMp3Rec.sys -- (StMp3Rec)
DRV - [2007/03/30 18:12:02 | 010,199,296 | ---- | M] (Sonix Co. Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snpstd3.sys -- (SNPSTD3) USB PC Camera (SNPSTD3)
DRV - [2006/08/11 21:03:44 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2006/07/11 22:19:00 | 003,934,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/06/29 08:53:00 | 000,244,864 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/06/28 17:39:02 | 000,089,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/06/28 17:38:56 | 000,105,088 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/06/19 06:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/05 20:09:26 | 004,284,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/04/08 04:17:34 | 000,012,288 | ---- | M] (HiTRUST) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psdfilter.sys -- (psdfilter)
DRV - [2006/03/09 01:10:52 | 000,060,416 | ---- | M] (HiTRUST) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psdvdisk.sys -- (psdvdisk)
DRV - [2005/10/28 18:38:18 | 000,402,432 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/10/04 22:38:24 | 000,280,064 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (ZD1211U(ZyDAS)) ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/01/13 22:46:16 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2004/12/17 02:14:44 | 000,013,952 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2004/10/25 20:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2004/08/10 20:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.live.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.com/ [binary data]
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 02 87 43 FF E9 9B CA 01 [binary data]
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\S-1-5-21-3573713635-23850275-2346460486-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\S-1-5-21-3573713635-23850275-2346460486-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://google.atcomet.com/b/"


FF - HKLM\software\mozilla\Firefox\extensions\\{8E9157C2-0ECE-42FB-B42E-4323392BEF34}: C:\Documents and Settings\ROGER\Local Settings\Application Data\{8E9157C2-0ECE-42FB-B42E-4323392BEF34} [2010/02/01 01:06:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}: C:\Documents and Settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F} [2010/02/15 15:22:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{7CF47A2A-4C87-44FA-A4F7-BFCEC2606D98}: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{7CF47A2A-4C87-44FA-A4F7-BFCEC2606D98} [2010/02/17 10:06:23 | 000,000,000 | ---D | M]

[2009/04/19 10:23:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ROGER\Application Data\Mozilla\Extensions
[2009/02/12 09:20:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ROGER\Application Data\Mozilla\Firefox\Profiles\6mhbbsxv.default\extensions

O1 HOSTS File: ([2004/08/10 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {49e87e14-c80d-4a00-ae05-2a966264a23b} - C:\WINDOWS\System32\pazodoga.dll ()
O2 - BHO: (C:\WINDOWS\system32\o3su31.dll) - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\System32\o3su31.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (no name) - {b7015c83-786f-46cf-940b-c65b867a1ddf} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\System32\alcmtr.exe ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe ()
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe ()
O4 - HKLM..\Run: [gobehabuye] C:\WINDOWS\System32\gamibuyo.dll ()
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe ()
O4 - HKLM..\Run: [Java Quick Start] C:\Documents and Settings\ROGER\jusched.exe ()
O4 - HKLM..\Run: [Kvemukazaqa] C:\WINDOWS\ujibafidequ.DLL (Firelight Technologies)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [plsi] C:\WINDOWS\system32\pm_proc1.exe ()
O4 - HKLM..\Run: [QuickTime Task] c:\program files\quicktime\qttask .exe ()
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\System32\rthdcpl.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\System32\skytel.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe ()
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [zumipirun] C:\WINDOWS\System32\suteniro.DLL ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\Documents and Settings\ROGER\Local Settings\Temp\winlogon.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [ejaduaqo] c:\documents and settings\roger\local settings\application data\ejaduaqo.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [MsnMsgr] c:\program files\windows live\messenger\msnmsgr .exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [qiinae] C:\Documents and Settings\ROGER\qiinae.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [qiinae ] C:\Documents and Settings\ROGER\qiinae .exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [uishf9wuifwuh387fh3wufinhjfdwefe] C:\Documents and Settings\ROGER\Local Settings\Temp\a9l0z1.exe ()
O4 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe (Acer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe (X-Micro Technology Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: &D&ownload &with BitComet - C:\program files\BitComet\bitcomet .exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\program files\BitComet\bitcomet .exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\program files\BitComet\bitcomet .exe (www.BitComet.com)
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll (BitComet)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: buy-is2010.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..Trusted Domains: buy-is2010.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..Trusted Domains: is10-soft-download.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..Trusted Domains: is-software-download.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005\..Trusted Domains: is-software-download25.com ([]http in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\suteniro.dll) - C:\WINDOWS\system32\suteniro.dll ()
O20 - AppInit_DLLs: (yorerufo.dll) - C:\WINDOWS\System32\yorerufo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\winlogon32.exe) - C:\WINDOWS\System32\winlogon32.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe ()
O20 - HKU\S-1-5-21-3573713635-23850275-2346460486-1005 Winlogon: Shell - (C:\Documents and Settings\ROGER\Application Data\Control-Center\ccmain.exe) - C:\Documents and Settings\ROGER\Application Data\Control-Center\ccmain.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O21 - SSODL: pipedeped - {807a8677-e344-4dc5-b5c9-1fb7c228c104} - C:\WINDOWS\system32\suteniro.dll ()
O22 - SharedTaskScheduler: {807a8677-e344-4dc5-b5c9-1fb7c228c104} - gahurihor - C:\WINDOWS\system32\suteniro.dll ()
O22 - SharedTaskScheduler: {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - dfgfgfiljojigidghu7yuhdiugrh98au - C:\WINDOWS\System32\o3su31.dll File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ROGER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/11 21:04:08 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /r \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/19 06:01:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/17 01:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Application Data\Malwarebytes
[2010/02/17 01:18:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/17 01:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/17 01:18:00 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/16 15:55:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Application Data\AVG9
[2010/02/16 15:35:01 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/02/16 15:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/02/16 15:31:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/16 13:31:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Desktop\BLEEPINGCOMPUTER
[2010/02/16 00:56:43 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/02/16 00:56:42 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/16 00:56:34 | 000,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/16 00:56:33 | 000,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/16 00:56:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/02/16 00:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/02/16 00:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/02/16 00:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2010/02/15 15:26:38 | 000,073,728 | RHS- | C] (ZPoqnEwe) -- C:\Documents and Settings\ROGER\qiinae .scr
[2010/02/15 15:21:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}
[2010/02/15 09:34:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/15 09:20:40 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\ROGER\Desktop\mbam-setup.exe
[2010/02/15 08:09:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/02/15 07:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/15 07:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/15 07:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/02/01 04:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/01 01:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Application Data\Control-Center
[2010/02/01 01:20:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/02/01 01:20:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/01 01:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ROGER\Local Settings\Application Data\{8E9157C2-0ECE-42FB-B42E-4323392BEF34}
[2010/02/01 01:01:33 | 000,073,728 | RHS- | C] (ZPoqnEwe) -- C:\Documents and Settings\ROGER\qiinae .exe
[2010/01/01 03:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/01 03:45:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/06/19 17:45:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/12/23 04:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2007/08/28 01:10:30 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd3.dll
[2007/08/28 01:10:30 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\rsnpstd3.dll
[2007/08/28 01:10:30 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd3.dll
[2007/08/28 01:10:30 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll
[2006/12/03 23:38:30 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[2006/09/11 07:13:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/07/25 19:31:30 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2005/07/25 19:27:22 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2005/07/25 19:26:58 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2005/07/25 19:25:26 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2005/07/25 19:24:46 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2005/07/25 19:24:14 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2005/07/25 19:19:36 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/22 07:23:05 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\buviveze
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/02/22 07:19:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/02/22 07:19:02 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\pm_proc1.exe
[2010/02/22 07:19:01 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\jusched.exe
[2010/02/22 07:19:00 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\rundll32.exe
[2010/02/22 07:18:48 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\alcmtr.exe
[2010/02/22 07:18:47 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\skytel.exe
[2010/02/22 07:18:46 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\rthdcpl.exe
[2010/02/22 07:18:45 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\nwiz.exe
[2010/02/22 07:18:43 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\qiinae .exe
[2010/02/22 07:18:42 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\qiinae.exe
[2010/02/22 07:18:39 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\smss32.exe
[2010/02/22 07:18:37 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo.exe
[2010/02/22 07:17:15 | 000,073,451 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/02/22 07:16:55 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/02/22 07:16:32 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/22 07:16:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/22 07:16:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/22 05:20:43 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\ROGER\NTUSER.DAT
[2010/02/22 05:20:43 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\ROGER\ntuser.ini
[2010/02/22 05:05:03 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/19 14:01:20 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\alcmtr.exe
[2010/02/19 14:01:19 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\skytel.exe
[2010/02/19 14:01:18 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\rthdcpl.exe
[2010/02/19 14:01:17 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\nwiz.exe
[2010/02/19 13:50:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/19 10:06:24 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wkomokesi.bin
[2010/02/18 10:23:54 | 000,000,004 | ---- | M] () -- C:\Program Files\154234.dat
[2010/02/17 22:15:20 | 000,000,004 | ---- | M] () -- C:\Program Files\359781.dat
[2010/02/17 14:46:35 | 000,000,004 | ---- | M] () -- C:\Program Files\218140.dat
[2010/02/17 14:42:42 | 000,000,004 | ---- | M] () -- C:\Program Files\147687.dat
[2010/02/17 14:40:01 | 000,000,004 | ---- | M] () -- C:\Program Files\126953.dat
[2010/02/17 14:37:40 | 000,000,004 | ---- | M] () -- C:\Program Files\144453.dat
[2010/02/17 11:56:04 | 000,000,004 | ---- | M] () -- C:\Program Files\355625.dat
[2010/02/17 11:49:49 | 000,000,004 | ---- | M] () -- C:\Program Files\212562.dat
[2010/02/17 11:41:05 | 000,000,004 | ---- | M] () -- C:\Program Files\200328.dat
[2010/02/17 11:36:48 | 000,000,004 | ---- | M] () -- C:\Program Files\570937.dat
[2010/02/17 11:32:02 | 000,000,609 | ---- | M] () -- C:\Documents and Settings\ROGER\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/02/17 11:31:08 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\jusched .exe
[2010/02/17 11:30:56 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\alcmtr .exe
[2010/02/17 11:30:55 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\skytel .exe
[2010/02/17 11:30:53 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\rthdcpl .exe
[2010/02/17 11:30:51 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\nwiz .exe
[2010/02/17 11:30:50 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\ROGER\rundll32 .exe
[2010/02/17 11:30:45 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\smss32 .exe
[2010/02/17 11:26:21 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lmnuxmxn.sys
[2010/02/17 10:44:44 | 000,000,004 | ---- | M] () -- C:\Program Files\1232890.dat
[2010/02/17 10:23:58 | 000,000,004 | ---- | M] () -- C:\Program Files\703578.dat
[2010/02/17 10:17:48 | 000,000,004 | ---- | M] () -- C:\Program Files\333750.dat
[2010/02/17 10:08:54 | 000,000,004 | ---- | M] () -- C:\Program Files\570687.dat
[2010/02/17 01:26:09 | 000,000,004 | ---- | M] () -- C:\Program Files\1618328.dat
[2010/02/17 01:20:54 | 000,000,004 | ---- | M] () -- C:\Program Files\1302890.dat
[2010/02/17 01:19:10 | 000,000,717 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/17 00:21:54 | 000,000,004 | ---- | M] () -- C:\Program Files\1203156.dat
[2010/02/16 23:47:31 | 000,000,004 | ---- | M] () -- C:\Program Files\13430718.dat
[2010/02/16 23:40:01 | 000,000,000 | ---- | M] () -- C:\Program Files\12980812.dat
[2010/02/16 20:03:25 | 000,000,004 | ---- | M] () -- C:\Program Files\4615265.dat
[2010/02/16 18:46:16 | 000,000,004 | ---- | M] () -- C:\Program Files\7625984.dat
[2010/02/16 16:00:34 | 000,000,004 | ---- | M] () -- C:\Program Files\1247609.dat
[2010/02/16 15:53:48 | 000,000,004 | ---- | M] () -- C:\Program Files\841765.dat
[2010/02/16 15:45:37 | 000,000,644 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/16 15:34:57 | 047,541,798 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/16 15:34:49 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/02/16 15:34:49 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/02/16 15:34:49 | 000,136,354 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/16 15:34:49 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/02/16 15:34:49 | 000,001,511 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/16 15:34:48 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/02/16 15:33:17 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/16 14:49:49 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Video .lnk
[2010/02/16 14:49:48 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Music .lnk
[2010/02/16 14:49:47 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Pictures .lnk
[2010/02/16 14:49:44 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Documents .lnk
[2010/02/16 14:49:41 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Passwords .lnk
[2010/02/16 14:49:40 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\New Folder .lnk
[2010/02/16 14:21:47 | 000,000,004 | ---- | M] () -- C:\Program Files\2156125.dat
[2010/02/16 13:45:37 | 000,000,004 | ---- | M] () -- C:\Program Files\798343.dat
[2010/02/16 13:45:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\ROGER\defogger_reenable
[2010/02/16 13:32:04 | 000,000,004 | ---- | M] () -- C:\Program Files\1025250.dat
[2010/02/16 13:09:33 | 000,000,004 | ---- | M] () -- C:\Program Files\1143578.dat
[2010/02/16 12:50:16 | 000,000,004 | ---- | M] () -- C:\Program Files\2385812.dat
[2010/02/16 12:10:16 | 000,000,004 | ---- | M] () -- C:\Program Files\2799296.dat
[2010/02/16 01:45:09 | 000,000,004 | ---- | M] () -- C:\Program Files\1211062.dat
[2010/02/16 01:35:23 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\pm_proc1 .exe
[2010/02/16 01:24:45 | 000,000,004 | ---- | M] () -- C:\Program Files\3396765.dat
[2010/02/16 01:23:48 | 000,000,162 | ---- | M] () -- C:\WINDOWS\System32\pinf.sys
[2010/02/16 01:23:33 | 000,000,004 | ---- | M] () -- C:\Program Files\3324781.dat
[2010/02/16 00:56:23 | 006,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/02/16 00:56:23 | 000,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Video.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Pictures.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Passwords.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\New Folder.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Music.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\ROGER\Documents.lnk
[2010/02/16 00:09:38 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/16 00:03:07 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\alcmtr .exe
[2010/02/16 00:03:06 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\skytel .exe
[2010/02/16 00:03:05 | 000,056,320 | ---- | M] () -- C:\WINDOWS\System32\rthdcpl .exe
[2010/02/15 15:58:45 | 000,000,004 | ---- | M] () -- C:\Program Files\3101875.dat
[2010/02/15 15:48:32 | 000,000,440 | ---- | M] () -- C:\WINDOWS\System32\7FDD6DB3BC02D610D017A47EADB2CC4779EBB991.A2Q
[2010/02/15 15:48:25 | 000,000,440 | ---- | M] () -- C:\WINDOWS\System32\0D2CA4C1D8AAF6CF47C8BCCAE889232BB97A4482.A2Q
[2010/02/15 15:32:14 | 000,000,004 | ---- | M] () -- C:\Program Files\1510781.dat
[2010/02/15 15:26:31 | 000,000,126 | RHS- | M] () -- C:\Documents and Settings\ROGER\autorun.inf
[2010/02/15 11:59:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\IS15.exe
[2010/02/15 11:59:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\helper32.dll
[2010/02/15 09:37:24 | 000,000,004 | ---- | M] () -- C:\Program Files\941015.dat
[2010/02/15 09:20:54 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\ROGER\Desktop\mbam-setup.exe
[2010/02/15 09:01:39 | 000,000,004 | ---- | M] () -- C:\Program Files\1819625.dat
[2010/02/15 08:29:54 | 000,000,004 | ---- | M] () -- C:\Program Files\803640.dat
[2010/02/15 08:07:55 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mswintmp.dat
[2010/02/15 07:56:54 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mhelofiboqa.dat
[2010/02/15 07:41:22 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/01 09:33:30 | 000,000,004 | ---- | M] () -- C:\Program Files\475640.dat
[2010/02/01 04:39:27 | 000,000,004 | ---- | M] () -- C:\Program Files\1020984.dat
[2010/02/01 01:44:45 | 000,000,004 | ---- | M] () -- C:\Program Files\2149640.dat
[2010/02/01 01:06:58 | 000,001,920 | ---- | M] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo_navps.dat
[2010/02/01 01:06:30 | 000,004,091 | ---- | M] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo.dat
[2010/02/01 01:04:16 | 000,069,120 | ---- | M] () -- C:\WINDOWS\System32\app_dll.dll
[2010/02/01 01:01:36 | 000,073,728 | RHS- | M] (ZPoqnEwe) -- C:\Documents and Settings\ROGER\qiinae .scr
[2010/02/01 01:01:36 | 000,073,728 | RHS- | M] (ZPoqnEwe) -- C:\Documents and Settings\ROGER\qiinae .exe
[2010/01/31 04:46:48 | 000,033,660 | ---- | M] () -- C:\Documents and Settings\ROGER\Desktop\SoHUNTBIT COMET MUSIC SEARCH.url
[2010/01/31 03:27:39 | 000,323,584 | ---- | M] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo .exe
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/19 11:01:51 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/02/19 11:01:51 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/02/19 11:01:51 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/02/19 11:01:51 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/02/19 11:01:51 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/02/19 11:01:50 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/02/19 11:01:50 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/02/19 11:01:50 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/02/19 11:01:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/02/19 11:01:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/02/19 11:01:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/02/19 11:01:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/02/19 11:01:49 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/02/19 11:01:48 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/02/19 11:01:47 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/02/18 10:23:54 | 000,000,004 | ---- | C] () -- C:\Program Files\154234.dat
[2010/02/17 22:15:20 | 000,000,004 | ---- | C] () -- C:\Program Files\359781.dat
[2010/02/17 14:46:35 | 000,000,004 | ---- | C] () -- C:\Program Files\218140.dat
[2010/02/17 14:42:42 | 000,000,004 | ---- | C] () -- C:\Program Files\147687.dat
[2010/02/17 14:40:01 | 000,000,004 | ---- | C] () -- C:\Program Files\126953.dat
[2010/02/17 14:37:40 | 000,000,004 | ---- | C] () -- C:\Program Files\144453.dat
[2010/02/17 11:56:04 | 000,000,004 | ---- | C] () -- C:\Program Files\355625.dat
[2010/02/17 11:49:49 | 000,000,004 | ---- | C] () -- C:\Program Files\212562.dat
[2010/02/17 11:41:05 | 000,000,004 | ---- | C] () -- C:\Program Files\200328.dat
[2010/02/17 11:36:48 | 000,000,004 | ---- | C] () -- C:\Program Files\570937.dat
[2010/02/17 11:32:02 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\ROGER\Desktop\Shortcut to Malwarebytes' Anti-Malware.lnk
[2010/02/17 11:31:08 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\jusched.exe
[2010/02/17 11:31:08 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\jusched .exe
[2010/02/17 11:30:56 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\alcmtr.exe
[2010/02/17 11:30:56 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\alcmtr .exe
[2010/02/17 11:30:55 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\skytel.exe
[2010/02/17 11:30:55 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\skytel .exe
[2010/02/17 11:30:53 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\rthdcpl.exe
[2010/02/17 11:30:53 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\rthdcpl .exe
[2010/02/17 11:30:51 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\nwiz.exe
[2010/02/17 11:30:51 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\nwiz .exe
[2010/02/17 11:30:50 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\rundll32.exe
[2010/02/17 11:30:50 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\rundll32 .exe
[2010/02/17 11:30:48 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\qiinae.exe
[2010/02/17 11:30:45 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\smss32.exe
[2010/02/17 11:30:45 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\smss32 .exe
[2010/02/17 11:30:44 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo.exe
[2010/02/17 10:44:44 | 000,000,004 | ---- | C] () -- C:\Program Files\1232890.dat
[2010/02/17 10:23:58 | 000,000,004 | ---- | C] () -- C:\Program Files\703578.dat
[2010/02/17 10:17:48 | 000,000,004 | ---- | C] () -- C:\Program Files\333750.dat
[2010/02/17 10:08:54 | 000,000,004 | ---- | C] () -- C:\Program Files\570687.dat
[2010/02/17 01:26:09 | 000,000,004 | ---- | C] () -- C:\Program Files\1618328.dat
[2010/02/17 01:20:54 | 000,000,004 | ---- | C] () -- C:\Program Files\1302890.dat
[2010/02/17 01:18:06 | 000,000,717 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/17 00:21:54 | 000,000,004 | ---- | C] () -- C:\Program Files\1203156.dat
[2010/02/17 00:05:13 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/02/16 23:47:31 | 000,000,004 | ---- | C] () -- C:\Program Files\13430718.dat
[2010/02/16 23:40:01 | 000,000,000 | ---- | C] () -- C:\Program Files\12980812.dat
[2010/02/16 20:03:25 | 000,000,004 | ---- | C] () -- C:\Program Files\4615265.dat
[2010/02/16 18:46:16 | 000,000,004 | ---- | C] () -- C:\Program Files\7625984.dat
[2010/02/16 16:00:34 | 000,000,004 | ---- | C] () -- C:\Program Files\1247609.dat
[2010/02/16 15:53:48 | 000,000,004 | ---- | C] () -- C:\Program Files\841765.dat
[2010/02/16 15:34:49 | 000,001,511 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/02/16 15:33:17 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/02/16 14:21:47 | 000,000,004 | ---- | C] () -- C:\Program Files\2156125.dat
[2010/02/16 13:45:37 | 000,000,004 | ---- | C] () -- C:\Program Files\798343.dat
[2010/02/16 13:45:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\ROGER\defogger_reenable
[2010/02/16 13:32:04 | 000,000,004 | ---- | C] () -- C:\Program Files\1025250.dat
[2010/02/16 13:09:33 | 000,000,004 | ---- | C] () -- C:\Program Files\1143578.dat
[2010/02/16 12:50:16 | 000,000,004 | ---- | C] () -- C:\Program Files\2385812.dat
[2010/02/16 12:10:16 | 000,000,004 | ---- | C] () -- C:\Program Files\2799296.dat
[2010/02/16 01:45:09 | 000,000,004 | ---- | C] () -- C:\Program Files\1211062.dat
[2010/02/16 01:35:23 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\pm_proc1.exe
[2010/02/16 01:35:23 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\pm_proc1 .exe
[2010/02/16 01:24:45 | 000,000,004 | ---- | C] () -- C:\Program Files\3396765.dat
[2010/02/16 01:23:33 | 000,000,004 | ---- | C] () -- C:\Program Files\3324781.dat
[2010/02/16 00:56:23 | 047,541,798 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/16 00:56:23 | 006,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/02/16 00:56:23 | 000,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/02/16 00:56:23 | 000,136,354 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/02/16 00:27:15 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Video.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Pictures.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Passwords.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Music.lnk
[2010/02/16 00:27:15 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Documents.lnk
[2010/02/16 00:27:13 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\New Folder.lnk
[2010/02/16 00:03:07 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\alcmtr.exe
[2010/02/16 00:03:07 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\alcmtr .exe
[2010/02/16 00:03:06 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\skytel.exe
[2010/02/16 00:03:06 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\skytel .exe
[2010/02/16 00:03:05 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\rthdcpl.exe
[2010/02/16 00:03:05 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\rthdcpl .exe
[2010/02/15 15:58:45 | 000,000,004 | ---- | C] () -- C:\Program Files\3101875.dat
[2010/02/15 15:48:23 | 000,000,440 | ---- | C] () -- C:\WINDOWS\System32\7FDD6DB3BC02D610D017A47EADB2CC4779EBB991.A2Q
[2010/02/15 15:48:23 | 000,000,440 | ---- | C] () -- C:\WINDOWS\System32\0D2CA4C1D8AAF6CF47C8BCCAE889232BB97A4482.A2Q
[2010/02/15 15:32:14 | 000,000,004 | ---- | C] () -- C:\Program Files\1510781.dat
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Video .lnk
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Pictures .lnk
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Passwords .lnk
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\New Folder .lnk
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Music .lnk
[2010/02/15 15:26:39 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\ROGER\Documents .lnk
[2010/02/15 15:26:31 | 000,000,126 | RHS- | C] () -- C:\Documents and Settings\ROGER\autorun.inf
[2010/02/15 11:34:28 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/02/15 09:37:24 | 000,000,004 | ---- | C] () -- C:\Program Files\941015.dat
[2010/02/15 09:01:39 | 000,000,004 | ---- | C] () -- C:\Program Files\1819625.dat
[2010/02/15 08:29:54 | 000,000,004 | ---- | C] () -- C:\Program Files\803640.dat
[2010/02/15 08:12:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\lmnuxmxn.sys
[2010/02/15 08:07:55 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mswintmp.dat
[2010/02/15 07:41:22 | 000,001,919 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/01 09:33:30 | 000,000,004 | ---- | C] () -- C:\Program Files\475640.dat
[2010/02/01 04:39:27 | 000,000,004 | ---- | C] () -- C:\Program Files\1020984.dat
[2010/02/01 01:44:45 | 000,000,004 | ---- | C] () -- C:\Program Files\2149640.dat
[2010/02/01 01:06:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wkomokesi.bin
[2010/02/01 01:06:13 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mhelofiboqa.dat
[2010/02/01 01:04:15 | 000,069,120 | ---- | C] () -- C:\WINDOWS\System32\app_dll.dll
[2010/02/01 01:02:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\IS15.exe
[2010/02/01 01:02:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\helper32.dll
[2010/02/01 01:01:33 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\ROGER\qiinae .exe
[2010/01/31 03:28:00 | 000,207,018 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo_nav.dat
[2010/01/31 03:28:00 | 000,004,091 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo.dat
[2010/01/31 03:28:00 | 000,001,920 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo_navps.dat
[2010/01/31 03:27:39 | 000,323,584 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo .exe
[2009/10/04 10:59:43 | 000,025,601 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2008/07/25 16:14:24 | 000,000,162 | ---- | C] () -- C:\WINDOWS\System32\pinf.sys
[2008/07/25 16:10:27 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\jRegistryKey.dll
[2008/07/25 16:10:25 | 000,000,321 | -HS- | C] () -- C:\WINDOWS\System32\3557650112.sys
[2007/12/11 22:34:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/11 22:33:14 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/12/11 22:33:14 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/12/11 22:32:28 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/11 16:25:26 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/08/28 01:10:30 | 000,015,498 | ---- | C] () -- C:\WINDOWS\snpstd3.ini
[2007/03/05 20:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/12/11 05:42:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2006/12/11 00:17:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/04 00:40:35 | 000,059,904 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/03 23:40:35 | 000,000,294 | ---- | C] () -- C:\WINDOWS\PowerOption.ini
[2006/12/03 23:38:30 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2006/12/03 23:33:03 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\ROGER\Local Settings\Application Data\fusioncache.dat
[2006/08/11 21:07:24 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/11 21:06:08 | 000,000,050 | ---- | C] () -- C:\WINDOWS\commercial.ini
[2006/08/11 21:05:40 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MWLPS.dll
[2006/08/11 21:04:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/08/11 21:03:44 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/08/11 21:03:44 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2006/08/11 21:03:44 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2006/08/11 21:03:44 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/07/11 22:19:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/11 22:19:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/11 22:19:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/11 22:19:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/07/11 22:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/11 22:19:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/07/11 22:19:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/04/12 22:08:36 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\InstallCheck.dll
[2006/03/09 01:19:28 | 001,421,824 | ---- | C] () -- C:\WINDOWS\System32\UIVCL.dll
[2006/03/09 01:11:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\APISlice.dll
[2005/11/10 19:27:42 | 000,003,218 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINIO.sys
[2005/10/31 02:17:38 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/10/26 06:25:28 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/10/12 16:43:40 | 000,000,095 | ---- | C] () -- C:\WINDOWS\alaunch.ini
[2005/08/05 21:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/12 21:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2005/07/07 09:12:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2005/04/04 07:44:04 | 000,000,258 | ---- | C] () -- C:\WINDOWS\Clearlnk.ini
[2004/12/17 02:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/08/10 20:00:00 | 000,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/08/10 20:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/03/23 23:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2001/12/26 22:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 05:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 22:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 04:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1601/01/01 00:03:52 | 000,052,736 | -HS- | C] () -- C:\WINDOWS\System32\yorerufo.dll
[1601/01/01 00:03:52 | 000,052,736 | -HS- | C] () -- C:\WINDOWS\System32\pazodoga.dll
[1601/01/01 00:03:52 | 000,052,736 | -HS- | C] () -- C:\WINDOWS\System32\gamibuyo.dll
[1601/01/01 00:03:28 | 000,093,696 | -HS- | C] () -- C:\WINDOWS\System32\suteniro.dll
[1601/01/01 00:03:28 | 000,045,568 | -HS- | C] () -- C:\WINDOWS\System32\bamonipo.dll
[1601/01/01 00:03:28 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\herifolu.dll
[1601/01/01 00:00:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\4DW4R3xyDoGNJMNP.sys
[1601/01/01 00:00:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\4DW4R3OhrjcIriTQ.dll
< End of report >



%%%%%%%%%%%%%%
% Extra.txt
%%%%%%%%%%%%%%

OTL Extras logfile created on: 22/02/2010 07:21:16 - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\ROGER\Desktop\BLEEPINGCOMPUTER
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

447.00 Mb Total Physical Memory | 144.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.10 Gb Total Space | 7.22 Gb Free Space | 21.18% Space Free | Partition Type: NTFS
Drive D: | 34.57 Gb Total Space | 33.39 Gb Free Space | 96.57% Space Free | Partition Type: FAT32
Drive E: | 1.17 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROGERPC
Current User Name: ROGER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"16907:TCP" = 16907:TCP:*:Enabled:BitComet 16907 TCP
"16907:UDP" = 16907:UDP:*:Enabled:BitComet 16907 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\IncrediMail\bin\ImApp.exe" = C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail -- File not found
"C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- File not found
"C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- File not found
"C:\Program Files\Magentic\bin\MgImp.exe" = C:\Program Files\Magentic\bin\MgImp.exe:*:Enabled:Magentic -- File not found
"C:\Program Files\Magentic\bin\Magentic.exe" = C:\Program Files\Magentic\bin\Magentic.exe:*:Enabled:Magentic -- File not found
"C:\Program Files\Magentic\bin\MgApp.exe" = C:\Program Files\Magentic\bin\MgApp.exe:*:Enabled:Magentic -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:ĶTorrent -- (BitTorrent, Inc.)
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr .exe" = C:\Program Files\Windows Live\Messenger\msnmsgr .exe:*:Enabled:Windows Live Messenger -- ()
"C:\Documents and Settings\ROGER\Local Settings\Temp\vtxpo.exe" = C:\Documents and Settings\ROGER\Local Settings\Temp\vtxpo.exe:*:Enabled:vtxpo -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
"{06604771-5346-492A-93C1-486B6CCD10AD}" = MP3 Player
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0CB98AC0-D691-4B21-AD3D-95982517021D}" = Acer WLAN 11g USB Dongle
"{11D3D948-2789-2E3D-03D7-282B537D8C01}" = BBC iPlayer Desktop
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{14C35072-D7D0-4B29-B5BF-C94E426D77E9}" = Sky Broadband
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{38C65D12-79E3-49C0-B211-DE3BE0A7AB39}" = commercial
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4AD13F68-CADA-4C6B-9759-C33753F89908}" = Acer eDataSecurity Management
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{659B48CD-0608-4ED5-94C0-0B6C87114F10}" = Apple Mobile Device Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7057702F-6D71-4F30-8000-9E72BC771887}" = Acer ePerformance Management
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-011B-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B360A8E5-C171-4AAE-9777-65B3CDB0072C}" = CanoScan LiDE20,30 Manual
"{B5019E2C-F159-4DDC-8F1A-CD44AB574200}" = VGA USB Camera
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}" = ArcSoft PhotoBase 3
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}" = iTunes
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D755C7A3-C03E-4460-8C00-AC6E55505FB5}" = LightScribe 1.4.74.1
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"BitComet" = BitComet 1.09
"ejaduaqo" = Favorit
"F3B506E1FDAEA4DC6669B53B2D3F0B68FBA20C2D" = Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
"Free Download Manager" = Free Download Manager 2.5 build 758
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0CB98AC0-D691-4B21-AD3D-95982517021D}" = Acer WLAN 11g USB Dongle
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{4AD13F68-CADA-4C6B-9759-C33753F89908}" = Acer eDataSecurity Management 2.0.3077
"Lexmark 730 Series" = Lexmark 730 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OcaHistoryUpd" = OCA Client history tool install
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3573713635-23850275-2346460486-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = ĶTorrent

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >




%%%%%%%%%%%%%%%%
% Partial GMER scan (i.e. sections and IAT/EAT unchecked)
%%%%%%%%%%%%%%%%%%

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-19 13:32:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ROGER\LOCALS~1\Temp\pgldrpow.sys


---- System - GMER 1.0.15 ----

Code F76B8EB5 ZwCallbackReturn
Code F76B8979 ZwEnumerateKey
Code F76B896F ZwSaveKey
Code F76B8974 ZwSaveKeyEx
Code F76B8BD2 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84BEF8D4

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\4DW4R3dorOdCJDYH.sys (*** hidden *** ) [SYSTEM] 4DW4R3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3@ImagePath \systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3@Start 1
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\connections@5bf3bc6c
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\ControlSet001\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3vxvxrKwqsx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@ImagePath \systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3vxvxrKwqsx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@ImagePath \systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\connections@5bf3bc6c
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3dorOdCJDYH.sys
Reg HKLM\SYSTEM\ControlSet003\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3vxvxrKwqsx.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 28 February 2010 - 12:43 PM

Hello Teafan,

Thats quite some bad stuff there ohmy.gif One question though, your GMER log shows two rootkit infections, did you do anything to remove those after the GMER log was run or are they still (presumably) there?

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

Edited by elise025, 28 February 2010 - 12:44 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 28 February 2010 - 04:13 PM

Hi Elise,

I've done nothing following the GMER scan so I presume the 2 rootkit infections were still present prior to applying combofix.

And it appears that combofix has done a lot of good! It took a lot of attempts to get it running but after following your instructions I now have the default wallpaper back to normal plus what appears to be full access to regedit etc.

When the machine rebooted it gave three loading errors all related to rundll saying the following modules could not be found
gamibuyo.dll
C:\WINDOWS\ujibafidequ.dll
c:\windows\system32\suteniro.dll

Otherwise it's looking very promising... The log is below.

Thanks,

Graeme

%%%%%%%%%%%%%%%%%%%%%
% combofix.txt
%%%%%%%%%%%%%%%%%%%%%

ComboFix 10-02-27.04 - ROGER 28/02/2010 19:51:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.93 [GMT 0:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ROGER\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\mswintmp.dat
c:\documents and settings\All Users\Application Data\Starware386
c:\documents and settings\All Users\Application Data\Starware386\buttons\1154_button_1b_def.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\1154_button_1b_over.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\1154_button_8b_def.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\1154_button_8b_over.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\Button_50.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\Button_60.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\Button_70.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware386\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware386\buttons\logo.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\logoxp.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\Reference.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\ReferenceHot.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\referencehotxp.png
c:\documents and settings\All Users\Application Data\Starware386\buttons\referencexp.png
c:\documents and settings\All Users\Application Data\Starware386\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\WeatherHot.bmp
c:\documents and settings\All Users\Application Data\Starware386\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware386\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware386\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware386\contexts\Related.xml
c:\documents and settings\All Users\Application Data\Starware386\contexts\Travel.xml
c:\documents and settings\All Users\Application Data\Starware386\images\foggy.bmp
c:\documents and settings\All Users\Application Data\Starware386\images\walertXP.bmp
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\ProductMessagingConfig.xml
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\SimpleUpdateConfig.xml
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\TimerManagerConfig.xml
c:\documents and settings\All Users\Application Data\Starware386\SimpleUpdate\TimerManagerConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware408
c:\documents and settings\All Users\Application Data\Starware408\buttons\1223_button_1b_def.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\1223_button_1b_over.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\1229_button_1b_def.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\1229_button_1b_over.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware408\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware408\buttons\logo.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\logoxp.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\WeatherHot.bmp
c:\documents and settings\All Users\Application Data\Starware408\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware408\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware408\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware408\contexts\related.xml
c:\documents and settings\All Users\Application Data\Starware408\contexts\travel.xml
c:\documents and settings\ROGER\alcmtr .exe
c:\documents and settings\ROGER\alcmtr.exe
c:\documents and settings\ROGER\Application Data\Control-Center
c:\documents and settings\ROGER\Application Data\Control-Center\ccagent.exe
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\05.png
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\06.png
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\07.png
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\08.png
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\09.png
c:\documents and settings\ROGER\Application Data\Control-Center\faq\images\10.png
c:\documents and settings\ROGER\Application Data\Control-Center\settings.ini
c:\documents and settings\ROGER\Application Data\FunWebProducts
c:\documents and settings\ROGER\Application Data\FunWebProducts\Data\ROGER\avatar.dat
c:\documents and settings\ROGER\Application Data\FunWebProducts\Data\ROGER\zbucks.dat
c:\documents and settings\ROGER\Application Data\Starware386
c:\documents and settings\ROGER\Application Data\Starware386\BrowserSearch\BrowserSearch.xml
c:\documents and settings\ROGER\Application Data\Starware386\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Button_5\Button_5Options.xml
c:\documents and settings\ROGER\Application Data\Starware386\Button_5\Button_5Options.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Button_6\Button_6Options.xml
c:\documents and settings\ROGER\Application Data\Starware386\Button_6\Button_6Options.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Button_7\Button_7Options.xml
c:\documents and settings\ROGER\Application Data\Starware386\Button_7\Button_7Options.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Configurator\Configurator.xml
c:\documents and settings\ROGER\Application Data\Starware386\Configurator\Configurator.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Layouts\ToolbarLayout.xml
c:\documents and settings\ROGER\Application Data\Starware386\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Manager\ManagerOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\Manager\ManagerOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Reference\ReferenceOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\Reference\ReferenceOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Screensavers\ScreensaversOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\Screensavers\ScreensaversOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Toolbar\TBProductsOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\ROGER\Application Data\Starware386\Weather\AlertArchive.xml
c:\documents and settings\ROGER\Application Data\Starware386\Weather\WeatherOptions.xml
c:\documents and settings\ROGER\Application Data\Starware386\Weather\WeatherOptions.xml.backup
c:\documents and settings\ROGER\autorun.inf
c:\documents and settings\ROGER\Documents .lnk
c:\documents and settings\ROGER\jusched .exe
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo .exe
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo.dat
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo.exe
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo_nav.dat
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo_navps.dat
c:\documents and settings\ROGER\Music .lnk
c:\documents and settings\ROGER\New Folder .lnk
c:\documents and settings\ROGER\nwiz .exe
c:\documents and settings\ROGER\Passwords .lnk
c:\documents and settings\ROGER\Pictures .lnk
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe.delme168
c:\documents and settings\ROGER\qiinae .exe.delme170
c:\documents and settings\ROGER\qiinae .scr
c:\documents and settings\ROGER\rthdcpl .exe
c:\documents and settings\ROGER\rthdcpl.exe
c:\documents and settings\ROGER\rundll32 .exe
c:\documents and settings\ROGER\rundll32.exe
c:\documents and settings\ROGER\skytel .exe
c:\documents and settings\ROGER\skytel.exe
c:\documents and settings\ROGER\Video .lnk
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\msimg32.dll
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\4DW4R3AsUyDGcxrS.dll
c:\windows\system32\4DW4R3btPUYqlbIb.dll
c:\windows\system32\4DW4R3c.dll
c:\windows\system32\4DW4R3dlKXIluwvu.dll
c:\windows\system32\4DW4R3GqMScmTXjk.dll
c:\windows\system32\4DW4R3GuLCKFbNgh.dll
c:\windows\system32\4DW4R3HcGsxRBvuS.dll
c:\windows\system32\4DW4R3horSFluJGi.dll
c:\windows\system32\4DW4R3HqjnQtLcNu.dll
c:\windows\system32\4DW4R3HvBpqvXLOs.dll
c:\windows\system32\4DW4R3JWXEVjOarH.dll
c:\windows\system32\4DW4R3kxcqNahARu.dll
c:\windows\system32\4DW4R3Kyopjxnkvv.dll
c:\windows\system32\4DW4R3lFCqbHSWvf.dll
c:\windows\system32\4DW4R3MFgUDYaiIq.dll
c:\windows\system32\4DW4R3NFhqhFtUIX.dll
c:\windows\system32\4DW4R3OhrjcIriTQ.dll
c:\windows\system32\4DW4R3pkwReIPtNe.dll
c:\windows\system32\4DW4R3qRlkfKAkmj.dll
c:\windows\system32\4DW4R3qWQnldnvFu.dll
c:\windows\system32\4DW4R3RiUyqwqHtQ.dll
c:\windows\system32\4DW4R3rouhReXCVb.dll
c:\windows\system32\4DW4R3sKcXerxFke.dll
c:\windows\system32\4DW4R3sQpxYmythy.dll
c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\4DW4R3tbbJIcOdTL.dll
c:\windows\system32\4DW4R3twGdrppspa.dll
c:\windows\system32\4DW4R3uMegQQXxbl.dll
c:\windows\system32\4DW4R3uOHRktLaeG.dll
c:\windows\system32\4DW4R3vcoIeYwGjx.dll
c:\windows\system32\4DW4R3VSpMnPORhr.dll
c:\windows\system32\4DW4R3vxvxrKwqsx.dll
c:\windows\system32\4DW4R3wKRbnKwhCE.dll
c:\windows\system32\4DW4R3woDotUAfQG.dll
c:\windows\system32\4DW4R3WuIOFYFwgh.dll
c:\windows\system32\alcmtr .exe
c:\windows\system32\alcmtr.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\bamonipo.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\4DW4R3.sys
c:\windows\system32\drivers\4DW4R3AabMyQvUqK.sys
c:\windows\system32\drivers\4DW4R3aNBOcPeSTQ.sys
c:\windows\system32\drivers\4DW4R3bfQEoQKGaY.sys
c:\windows\system32\drivers\4DW4R3dorOdCJDYH.sys
c:\windows\system32\drivers\4DW4R3ekIaubtBWq.sys
c:\windows\system32\drivers\4DW4R3ExLbIaAyXm.sys
c:\windows\system32\drivers\4DW4R3ianNsIxvaT.sys
c:\windows\system32\drivers\4DW4R3ikwDLAPkuG.sys
c:\windows\system32\drivers\4DW4R3inWWNglwqQ.sys
c:\windows\system32\drivers\4DW4R3jljncvwrdW.sys
c:\windows\system32\drivers\4DW4R3JuHpftthiM.sys
c:\windows\system32\drivers\4DW4R3kCMhepsJAW.sys
c:\windows\system32\drivers\4DW4R3kqXomTTgJm.sys
c:\windows\system32\drivers\4DW4R3lEbolaTIPN.sys
c:\windows\system32\drivers\4DW4R3LUtDXDctdi.sys
c:\windows\system32\drivers\4DW4R3lWdggYKaNk.sys
c:\windows\system32\drivers\4DW4R3mDkoOYpNwm.sys
c:\windows\system32\drivers\4DW4R3noOgbXkHRB.sys
c:\windows\system32\drivers\4DW4R3NQtaAiWdec.sys
c:\windows\system32\drivers\4DW4R3NRgGjsiRnl.sys
c:\windows\system32\drivers\4DW4R3ojSofXvDpV.sys
c:\windows\system32\drivers\4DW4R3PoHBuPPwRe.sys
c:\windows\system32\drivers\4DW4R3QcnWucCgMD.sys
c:\windows\system32\drivers\4DW4R3qLxmARccpS.sys
c:\windows\system32\drivers\4DW4R3rVqxbsjPkp.sys
c:\windows\system32\drivers\4DW4R3RyBXahKYjO.sys
c:\windows\system32\drivers\4DW4R3vfFbMJojUa.sys
c:\windows\system32\drivers\4DW4R3VhApGNrsSi.sys
c:\windows\system32\drivers\4DW4R3VnnNocomeU.sys
c:\windows\system32\drivers\4DW4R3wfVPkkbaGs.sys
c:\windows\system32\drivers\4DW4R3xFsygeVDYY.sys
c:\windows\system32\drivers\4DW4R3xhMLwldqGC.sys
c:\windows\system32\drivers\4DW4R3xyDoGNJMNP.sys
c:\windows\system32\driVERs\lmnuxmxn.sys
c:\windows\system32\gamibuyo.dll
c:\windows\system32\helper32.dll
c:\windows\system32\herifolu.dll
c:\windows\system32\IS15.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nwiz .exe
c:\windows\system32\o3su31.dll
c:\windows\system32\pazodoga.dll
c:\windows\system32\pm_proc1 .exe
c:\windows\system32\rthdcpl .exe
c:\windows\system32\rthdcpl.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\sdra64.exe
c:\windows\system32\skytel .exe
c:\windows\system32\skytel.exe
c:\windows\system32\smss32 .exe
c:\windows\system32\smss32.exe
c:\windows\system32\suteniro.dll
c:\windows\system32\sysmonitor .exe
c:\windows\system32\twain_32.dll
c:\windows\system32\yorerufo.dll
c:\windows\ujibafidequ.dll
c:\windows\vsnpstd3 .exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_4DW4R3
-------\Legacy_4DW4R3
-------\Legacy_lmnuxmxn
-------\Service_lmnuxmxn


((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 18:53 . 2010-02-28 18:53 4 ----a-w- c:\program files\99640.dat
2010-02-28 18:13 . 2010-02-28 18:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-19 06:01 . 2010-02-19 06:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-18 10:23 . 2010-02-18 10:23 4 ----a-w- c:\program files\154234.dat
2010-02-17 22:15 . 2010-02-17 22:15 4 ----a-w- c:\program files\359781.dat
2010-02-17 14:46 . 2010-02-17 14:46 4 ----a-w- c:\program files\218140.dat
2010-02-17 14:42 . 2010-02-17 14:42 4 ----a-w- c:\program files\147687.dat
2010-02-17 14:40 . 2010-02-17 14:40 4 ----a-w- c:\program files\126953.dat
2010-02-17 14:37 . 2010-02-17 14:37 4 ----a-w- c:\program files\144453.dat
2010-02-17 11:56 . 2010-02-17 11:56 4 ----a-w- c:\program files\355625.dat
2010-02-17 11:49 . 2010-02-17 11:49 4 ----a-w- c:\program files\212562.dat
2010-02-17 11:41 . 2010-02-17 11:41 4 ----a-w- c:\program files\200328.dat
2010-02-17 11:36 . 2010-02-17 11:36 4 ----a-w- c:\program files\570937.dat
2010-02-17 11:31 . 2010-02-28 20:14 56320 ----a-w- c:\documents and settings\ROGER\jusched.exe
2010-02-17 11:30 . 2010-02-28 20:13 56320 ----a-w- c:\documents and settings\ROGER\nwiz.exe
2010-02-17 11:30 . 2010-02-28 20:13 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-02-17 11:30 . 2010-02-28 20:13 56320 ----a-w- c:\documents and settings\ROGER\qiinae.exe
2010-02-17 11:30 . 2010-02-28 19:51 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-02-17 10:44 . 2010-02-17 10:44 4 ----a-w- c:\program files\1232890.dat
2010-02-17 10:23 . 2010-02-17 10:23 4 ----a-w- c:\program files\703578.dat
2010-02-17 10:17 . 2010-02-17 10:17 4 ----a-w- c:\program files\333750.dat
2010-02-17 10:08 . 2010-02-17 10:08 4 ----a-w- c:\program files\570687.dat
2010-02-17 01:26 . 2010-02-17 01:26 4 ----a-w- c:\program files\1618328.dat
2010-02-17 01:20 . 2010-02-17 01:20 4 ----a-w- c:\program files\1302890.dat
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\ROGER\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 00:21 . 2010-02-17 00:21 4 ----a-w- c:\program files\1203156.dat
2010-02-17 00:05 . 2010-02-22 09:01 56320 ----a-w- c:\windows\system32\nwiz.exe
2010-02-16 23:47 . 2010-02-16 23:47 4 ----a-w- c:\program files\13430718.dat
2010-02-16 23:40 . 2010-02-16 23:40 0 ----a-w- c:\program files\12980812.dat
2010-02-16 20:03 . 2010-02-16 20:03 4 ----a-w- c:\program files\4615265.dat
2010-02-16 18:46 . 2010-02-16 18:46 4 ----a-w- c:\program files\7625984.dat
2010-02-16 16:00 . 2010-02-16 16:00 4 ----a-w- c:\program files\1247609.dat
2010-02-16 15:55 . 2010-02-16 15:55 -------- d-----w- c:\documents and settings\ROGER\Application Data\AVG9
2010-02-16 15:53 . 2010-02-16 15:53 4 ----a-w- c:\program files\841765.dat
2010-02-16 15:35 . 2010-02-16 15:40 -------- d-----w- C:\$AVG
2010-02-16 15:33 . 2010-02-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-16 14:21 . 2010-02-16 14:21 4 ----a-w- c:\program files\2156125.dat
2010-02-16 13:45 . 2010-02-16 13:45 4 ----a-w- c:\program files\798343.dat
2010-02-16 13:32 . 2010-02-16 13:32 4 ----a-w- c:\program files\1025250.dat
2010-02-16 13:09 . 2010-02-16 13:09 4 ----a-w- c:\program files\1143578.dat
2010-02-16 12:50 . 2010-02-16 12:50 4 ----a-w- c:\program files\2385812.dat
2010-02-16 12:10 . 2010-02-16 12:10 4 ----a-w- c:\program files\2799296.dat
2010-02-16 01:45 . 2010-02-16 01:45 4 ----a-w- c:\program files\1211062.dat
2010-02-16 01:35 . 2010-02-28 20:14 56320 ----a-w- c:\windows\system32\pm_proc1.exe
2010-02-16 01:24 . 2010-02-16 01:24 4 ----a-w- c:\program files\3396765.dat
2010-02-16 01:23 . 2010-02-16 01:23 4 ----a-w- c:\program files\3324781.dat
2010-02-16 00:56 . 2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-16 00:56 . 2010-02-16 15:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-16 00:56 . 2010-02-16 15:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-16 00:56 . 2010-02-16 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-16 00:55 . 2010-02-16 15:33 -------- d-----w- c:\program files\AVG
2010-02-16 00:55 . 2010-02-16 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 15:58 . 2010-02-15 15:58 4 ----a-w- c:\program files\3101875.dat
2010-02-15 15:32 . 2010-02-15 15:32 4 ----a-w- c:\program files\1510781.dat
2010-02-15 15:21 . 2010-02-15 15:22 -------- d-----w- c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}
2010-02-15 09:37 . 2010-02-15 09:37 4 ----a-w- c:\program files\941015.dat
2010-02-15 09:34 . 2010-02-17 12:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 09:01 . 2010-02-15 09:01 4 ----a-w- c:\program files\1819625.dat
2010-02-15 08:29 . 2010-02-15 08:29 4 ----a-w- c:\program files\803640.dat
2010-02-15 07:21 . 2010-02-15 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-01 09:33 . 2010-02-01 09:33 4 ----a-w- c:\program files\475640.dat
2010-02-01 04:39 . 2010-02-01 04:39 4 ----a-w- c:\program files\1020984.dat
2010-02-01 01:44 . 2010-02-01 01:44 4 ----a-w- c:\program files\2149640.dat
2010-02-01 01:20 . 2010-02-01 01:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-01 01:06 . 2010-02-28 18:01 0 ----a-w- c:\windows\Wkomokesi.bin
2010-02-01 01:06 . 2010-02-15 07:56 120 ----a-w- c:\windows\Mhelofiboqa.dat
2010-02-01 01:06 . 2010-02-01 01:06 -------- d-----w- c:\documents and settings\ROGER\Local Settings\Application Data\{8E9157C2-0ECE-42FB-B42E-4323392BEF34}
2010-02-01 01:03 . 2010-02-01 01:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 20:14 . 2009-06-06 07:47 -------- d-----w- c:\program files\iTunes
2010-02-28 20:13 . 2009-06-06 07:38 -------- d-----w- c:\program files\QuickTime
2010-02-28 18:14 . 2008-08-28 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-16 01:23 . 2008-07-25 16:14 162 ----a-w- c:\windows\system32\pinf.sys
2010-02-15 15:38 . 2009-11-23 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-02-15 15:36 . 2007-12-23 03:27 -------- d-----w- c:\program files\Network Associates
2010-02-15 14:56 . 2009-02-12 09:19 -------- d-----w- c:\program files\Free Download Manager
2010-02-15 14:56 . 2007-10-26 04:14 -------- d-----w- c:\program files\BitComet
2010-02-15 08:42 . 2009-02-12 09:20 -------- d-----w- c:\documents and settings\ROGER\Application Data\Free Download Manager
2010-02-15 07:57 . 2006-12-04 00:20 -------- d-----w- c:\program files\Lx_cats
2010-02-15 07:38 . 2007-08-24 04:46 -------- d-----w- c:\program files\Google
2010-02-01 01:03 . 2008-09-04 17:08 -------- d-----w- c:\documents and settings\ROGER\Application Data\uTorrent
2010-01-17 04:48 . 2009-03-22 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-21 19:14 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2008-09-08 19:05 . 2008-07-25 16:10 321 --sh--w- c:\windows\system32\3557650112.sys
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\AVG\AVG8\alcmtr .exe
c:\program files\AVG\AVG8\nwiz .exe
c:\program files\AVG\AVG8\rthdcpl .exe
c:\program files\AVG\AVG8\skytel .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\BitComet\bitcomet .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared Files\brs .exe
c:\program files\Free Download Manager\fdm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui .exe
c:\program files\PeerGuardian2\pg2 .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-10 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-28 56320]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-02-28 56320]
"ejaduaqo"="c:\documents and settings\roger\local settings\application data\ejaduaqo.exe" [N/A]
"smss32.exe"="c:\windows\system32\smss32.exe" [N/A]
"qiinae"="c:\documents and settings\ROGER\qiinae.exe" [2010-02-28 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [N/A]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-02-28 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [N/A]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [N/A]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"nwiz"="nwiz.exe" [2010-02-22 56320]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-02-28 56320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2010-02-28 56320]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2010-02-28 56320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-28 56320]
"My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-28 56320]
"Kvemukazaqa"="c:\windows\ujibafidequ.dll" [N/A]
"gobehabuye"="gamibuyo.dll" [N/A]
"zumipirun"="c:\windows\system32\suteniro.dll" [N/A]
"Java Quick Start"="c:\documents and settings\ROGER\jusched.exe" [2010-02-28 56320]
"plsi"="c:\windows\system32\pm_proc1.exe" [2010-02-28 56320]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-3 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wetegsn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr .exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16907:TCP"= 16907:TCP:BitComet 16907 TCP
"16907:UDP"= 16907:UDP:BitComet 16907 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 00:56 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 00:56 360584]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 19:07 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2010 00:55 297752]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/02/2010 15:33 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [22/03/2009 13:39 54752]
S2 a2free;a-squared Free Service;"e:\asquaredmalware-remote\a2service.exe" --> e:\asquaredmalware-remote\a2service.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 03:45 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [17/02/2010 01:18 38224]
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-02-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-26 08:40]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm025YYGB
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
TCP: {53D02F21-9542-48DE-A8BC-C8C3BDCE7491} = 83.149.115.157,4.2.2.1,192.168.0.1
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
.
- - - - ORPHANS REMOVED - - - -

BHO-{49e87e14-c80d-4a00-ae05-2a966264a23b} - pazodoga.dll
BHO-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\o3su31.dll
Toolbar-{b7015c83-786f-46cf-940b-c65b867a1ddf} - (no file)
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
SharedTaskScheduler-{A3BA40A2-74F0-42BD-F434-00B15A2C8953} - c:\windows\system32\o3su31.dll
SharedTaskScheduler-{807a8677-e344-4dc5-b5c9-1fb7c228c104} - c:\windows\system32\suteniro.dll
SSODL-pipedeped-{807a8677-e344-4dc5-b5c9-1fb7c228c104} - c:\windows\system32\suteniro.dll
AddRemove-ejaduaqo - c:\documents and settings\roger\local settings\application data\ejaduaqo.exe
AddRemove-Free Download Manager - c:\program files\Free Download Manager\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 20:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84C8C8D4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72da852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Generic Marvell Yukon Chipset based Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf71debb0
PacketIndicateHandler -> NDIS.sys @ 0xf71eba21
SendHandler -> NDIS.sys @ 0xf71c987b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\WININET.dll
c:\windows\wetegsn.dll

- - - - - - - > 'explorer.exe'(2112)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\program files\Common Files\CyberLink\deskband32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\wetegsn.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\nwiz.exe
c:\windows\RTHDCPL.EXE
c:\acer\empowering technology\edatasecurity\edsloader .exe
c:\program files\cyberlink\powerdvd8\pdvd8serv .exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\itunes\ituneshelper .exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-02-28 20:37:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-28 20:37

Pre-Run: 7,761,883,136 bytes free
Post-Run: 12,922,257,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - A41D1BE2C96FC1D605C72648FFFAAC53


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 01 March 2010 - 03:21 AM

Hello Teafan,

That got rid of a LOT of stuff, but still leaves us with quite some stuff to deal with smile.gif

However, first consider the following information...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=298557&view=findpost&p=1652135>

Collect::
c:\program files\475640.dat
c:\program files\1020984.dat
c:\program files\2149640.dat
c:\windows\Wkomokesi.bin
c:\windows\Mhelofiboqa.dat
c:\windows\wetegsn.dll

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\AVG\AVG8\alcmtr .exe
c:\program files\AVG\AVG8\nwiz .exe
c:\program files\AVG\AVG8\rthdcpl .exe
c:\program files\AVG\AVG8\skytel .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\BitComet\bitcomet .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared Files\brs .exe
c:\program files\Free Download Manager\fdm .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntimui .exe
c:\program files\PeerGuardian2\pg2 .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

DDS::
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


Since there are so many files that ought to be scripted away with Combofix, I prefer to try Malwarebytes antimalware here as well, AFTER you have run the CFScript.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 01 March 2010 - 04:44 PM

Hi Elise,

Thanks for your help so far. I will proceed with the clean but will show the user the risks once it's been finished. If he decides to reformat then so be it.

I attach the logs from combixfix and MBAB below. I cannot believe how many hits MBAM registered!

Graeme

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% ComboFix log
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

ComboFix 10-02-27.04 - ROGER 01/03/2010 8:58.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.87 [GMT 0:00]
Running from: c:\documents and settings\ROGER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ROGER\Desktop\BLEEPINGCOMPUTER\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\program files\1020984.dat
file zipped: c:\program files\2149640.dat
file zipped: c:\program files\475640.dat
file zipped: c:\windows\Mhelofiboqa.dat
file zipped: c:\windows\wetegsn.dll
file zipped: c:\windows\Wkomokesi.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ROGER\jusched .exe
c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}
c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}\chrome.manifest
c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}\chrome\content\_cfg.js
c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}\chrome\content\overlay.xul
c:\documents and settings\ROGER\Local Settings\Application Data\{17A81E2D-8BB7-4822-9F53-3D9BEC173D5F}\install.rdf
c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo .exe
c:\documents and settings\ROGER\nwiz .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\qiinae .exe
c:\documents and settings\ROGER\rthdcpl .exe
c:\documents and settings\ROGER\rthdcpl.exe
c:\documents and settings\ROGER\rundll32 .exe
c:\documents and settings\ROGER\rundll32.exe
c:\documents and settings\ROGER\skytel .exe
c:\documents and settings\ROGER\skytel.exe
c:\program files\1020984.dat
c:\program files\2149640.dat
c:\program files\475640.dat
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\Mhelofiboqa.dat
c:\windows\system32\pm_proc1 .exe
c:\windows\system32\smss32 .exe
c:\windows\system32\smss32.exe
c:\windows\wetegsn.dll
c:\windows\Wkomokesi.bin

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 09:08 . 2010-03-01 09:08 56320 ----a-w- c:\windows\system32\smss32.exe
2010-02-28 20:44 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo.exe
2010-02-28 18:53 . 2010-02-28 18:53 4 ----a-w- c:\program files\99640.dat
2010-02-28 18:13 . 2010-02-28 18:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-19 06:01 . 2010-02-19 06:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-18 10:23 . 2010-02-18 10:23 4 ----a-w- c:\program files\154234.dat
2010-02-17 22:15 . 2010-02-17 22:15 4 ----a-w- c:\program files\359781.dat
2010-02-17 14:46 . 2010-02-17 14:46 4 ----a-w- c:\program files\218140.dat
2010-02-17 14:42 . 2010-02-17 14:42 4 ----a-w- c:\program files\147687.dat
2010-02-17 14:40 . 2010-02-17 14:40 4 ----a-w- c:\program files\126953.dat
2010-02-17 14:37 . 2010-02-17 14:37 4 ----a-w- c:\program files\144453.dat
2010-02-17 11:56 . 2010-02-17 11:56 4 ----a-w- c:\program files\355625.dat
2010-02-17 11:49 . 2010-02-17 11:49 4 ----a-w- c:\program files\212562.dat
2010-02-17 11:41 . 2010-02-17 11:41 4 ----a-w- c:\program files\200328.dat
2010-02-17 11:36 . 2010-02-17 11:36 4 ----a-w- c:\program files\570937.dat
2010-02-17 11:31 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\jusched.exe
2010-02-17 11:30 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\nwiz.exe
2010-02-17 11:30 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\qiinae.exe
2010-02-17 10:44 . 2010-02-17 10:44 4 ----a-w- c:\program files\1232890.dat
2010-02-17 10:23 . 2010-02-17 10:23 4 ----a-w- c:\program files\703578.dat
2010-02-17 10:17 . 2010-02-17 10:17 4 ----a-w- c:\program files\333750.dat
2010-02-17 10:08 . 2010-02-17 10:08 4 ----a-w- c:\program files\570687.dat
2010-02-17 01:26 . 2010-02-17 01:26 4 ----a-w- c:\program files\1618328.dat
2010-02-17 01:20 . 2010-02-17 01:20 4 ----a-w- c:\program files\1302890.dat
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\ROGER\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 00:21 . 2010-02-17 00:21 4 ----a-w- c:\program files\1203156.dat
2010-02-17 00:05 . 2010-02-22 09:01 56320 ----a-w- c:\windows\system32\nwiz.exe
2010-02-16 23:47 . 2010-02-16 23:47 4 ----a-w- c:\program files\13430718.dat
2010-02-16 23:40 . 2010-02-16 23:40 0 ----a-w- c:\program files\12980812.dat
2010-02-16 20:03 . 2010-02-16 20:03 4 ----a-w- c:\program files\4615265.dat
2010-02-16 18:46 . 2010-02-16 18:46 4 ----a-w- c:\program files\7625984.dat
2010-02-16 16:00 . 2010-02-16 16:00 4 ----a-w- c:\program files\1247609.dat
2010-02-16 15:55 . 2010-02-16 15:55 -------- d-----w- c:\documents and settings\ROGER\Application Data\AVG9
2010-02-16 15:53 . 2010-02-16 15:53 4 ----a-w- c:\program files\841765.dat
2010-02-16 15:35 . 2010-02-16 15:40 -------- d-----w- C:\$AVG
2010-02-16 15:33 . 2010-02-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-16 14:21 . 2010-02-16 14:21 4 ----a-w- c:\program files\2156125.dat
2010-02-16 13:45 . 2010-02-16 13:45 4 ----a-w- c:\program files\798343.dat
2010-02-16 13:32 . 2010-02-16 13:32 4 ----a-w- c:\program files\1025250.dat
2010-02-16 13:09 . 2010-02-16 13:09 4 ----a-w- c:\program files\1143578.dat
2010-02-16 12:50 . 2010-02-16 12:50 4 ----a-w- c:\program files\2385812.dat
2010-02-16 12:10 . 2010-02-16 12:10 4 ----a-w- c:\program files\2799296.dat
2010-02-16 01:45 . 2010-02-16 01:45 4 ----a-w- c:\program files\1211062.dat
2010-02-16 01:35 . 2010-03-01 09:08 56320 ----a-w- c:\windows\system32\pm_proc1.exe
2010-02-16 01:24 . 2010-02-16 01:24 4 ----a-w- c:\program files\3396765.dat
2010-02-16 01:23 . 2010-02-16 01:23 4 ----a-w- c:\program files\3324781.dat
2010-02-16 00:56 . 2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-16 00:56 . 2010-02-16 15:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-16 00:56 . 2010-02-16 15:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-16 00:56 . 2010-02-16 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-16 00:55 . 2010-02-16 15:33 -------- d-----w- c:\program files\AVG
2010-02-16 00:55 . 2010-02-16 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 15:58 . 2010-02-15 15:58 4 ----a-w- c:\program files\3101875.dat
2010-02-15 15:32 . 2010-02-15 15:32 4 ----a-w- c:\program files\1510781.dat
2010-02-15 09:37 . 2010-02-15 09:37 4 ----a-w- c:\program files\941015.dat
2010-02-15 09:34 . 2010-02-17 12:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 09:01 . 2010-02-15 09:01 4 ----a-w- c:\program files\1819625.dat
2010-02-15 08:29 . 2010-02-15 08:29 4 ----a-w- c:\program files\803640.dat
2010-02-15 07:21 . 2010-02-15 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-01 01:20 . 2010-02-01 01:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-01 01:06 . 2010-02-01 01:06 -------- d-----w- c:\documents and settings\ROGER\Local Settings\Application Data\{8E9157C2-0ECE-42FB-B42E-4323392BEF34}
2010-02-01 01:03 . 2010-02-01 01:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 09:08 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\rundll32.exe
2010-03-01 09:08 . 2009-06-06 07:47 -------- d-----w- c:\program files\iTunes
2010-03-01 09:08 . 2009-06-06 07:38 -------- d-----w- c:\program files\QuickTime
2010-03-01 09:08 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\skytel.exe
2010-03-01 09:08 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\rthdcpl.exe
2010-03-01 09:08 . 2010-03-01 09:08 56320 ----a-w- c:\documents and settings\ROGER\rundll32 .exe
2010-03-01 09:08 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 09:08 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 09:08 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 09:08 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 09:08 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 08:58 . 2009-11-23 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-03-01 08:58 . 2009-02-12 09:19 -------- d-----w- c:\program files\Free Download Manager
2010-03-01 08:58 . 2007-10-26 04:14 -------- d-----w- c:\program files\BitComet
2010-03-01 08:38 . 2010-02-16 01:35 56320 ----a-w- c:\windows\system32\pm_proc1 .exe
2010-03-01 08:38 . 2010-02-17 11:31 56320 ----a-w- c:\documents and settings\ROGER\jusched .exe
2010-03-01 08:38 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\nwiz .exe
2010-03-01 08:37 . 2010-02-17 11:30 56320 ----a-w- c:\documents and settings\ROGER\qiinae .exe
2010-03-01 08:37 . 2010-02-28 20:44 56320 ----a-w- c:\documents and settings\ROGER\Local Settings\Application Data\ejaduaqo .exe
2010-02-28 18:14 . 2008-08-28 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-16 01:23 . 2008-07-25 16:14 162 ----a-w- c:\windows\system32\pinf.sys
2010-02-15 15:36 . 2007-12-23 03:27 -------- d-----w- c:\program files\Network Associates
2010-02-15 08:42 . 2009-02-12 09:20 -------- d-----w- c:\documents and settings\ROGER\Application Data\Free Download Manager
2010-02-15 07:57 . 2006-12-04 00:20 -------- d-----w- c:\program files\Lx_cats
2010-02-15 07:38 . 2007-08-24 04:46 -------- d-----w- c:\program files\Google
2010-01-17 04:48 . 2009-03-22 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 07:53 . 2009-12-26 07:53 38784 ----a-w- c:\documents and settings\ROGER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-21 19:14 . 2006-03-04 03:58 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 07:00 . 2009-12-12 07:00 152576 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 07:00 . 2009-12-04 00:27 79488 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-09-08 19:05 . 2008-07-25 16:10 321 --sh--w- c:\windows\system32\3557650112.sys
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\pm_proc1 .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-01 56320]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-03-01 56320]
"ejaduaqo"="c:\documents and settings\roger\local settings\application data\ejaduaqo.exe" [2010-03-01 56320]
"smss32.exe"="c:\windows\system32\smss32.exe" [2010-03-01 56320]
"qiinae"="c:\documents and settings\ROGER\qiinae.exe" [2010-03-01 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-03-01 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-03-01 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-03-01 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-03-01 56320]
"qiinae "="c:\documents and settings\roger\qiinae .exe" [2010-03-01 56320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"nwiz"="nwiz.exe" [2010-02-22 56320]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-01 56320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2010-03-01 56320]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2010-03-01 56320]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-01 56320]
"My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-01 56320]
"Kvemukazaqa"="c:\windows\ujibafidequ.dll" [N/A]
"gobehabuye"="gamibuyo.dll" [N/A]
"zumipirun"="c:\windows\system32\suteniro.dll" [N/A]
"Java Quick Start"="c:\documents and settings\ROGER\jusched.exe" [2010-03-01 56320]
"plsi"="c:\windows\system32\pm_proc1.exe" [2010-03-01 56320]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-3 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16907:TCP"= 16907:TCP:BitComet 16907 TCP
"16907:UDP"= 16907:UDP:BitComet 16907 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 00:56 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 00:56 360584]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 19:07 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2010 00:55 297752]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/02/2010 15:33 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [22/03/2009 13:39 54752]
S2 a2free;a-squared Free Service;"e:\asquaredmalware-remote\a2service.exe" --> e:\asquaredmalware-remote\a2service.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 03:45 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [17/02/2010 01:18 38224]
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-01 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-01 09:08]

2010-03-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-26 08:40]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm025YYGB
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
TCP: {53D02F21-9542-48DE-A8BC-C8C3BDCE7491} = 83.149.115.157,4.2.2.1,192.168.0.1
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\pm_proc1 .exe 56320 bytes executable
c:\windows\system32\smss32.exe 56320 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\program files\Common Files\CyberLink\deskband32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\nwiz.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\acer\empowering technology\edatasecurity\edsloader .exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-01 09:12:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 09:12
ComboFix2.txt 2010-02-28 20:37

Pre-Run: 12,905,484,288 bytes free
Post-Run: 12,860,358,656 bytes free

- - End Of File - - FAFB0A96658192834BEB0F713ED73933



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% MBAB log
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Malwarebytes' Anti-Malware 1.44
Database version: 3808
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01/03/2010 09:23:01
mbam-log-2010-03-01 (09-23-01).txt

Scan type: Quick Scan
Objects scanned: 127989
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 0
Registry Keys Infected: 78
Registry Values Infected: 17
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 33

Memory Processes Infected:
C:\WINDOWS\system32\nwiz.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\ROGER\Local Settings\temp\ctv704.exe (Malware.Packer.Gen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d810b78a-d010-44df-8445-ac58086b600e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a84e835e-1b9c-4fc0-980f-4b2da3c6a2a7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bfc08cff-c737-4433-bd5a-0ee7efcfee54} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d810b78a-d010-44df-8445-ac58086b600e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{31a55ff6-32a4-4ae2-95fe-7891637f3dae} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c056b0ec-6369-452b-9879-b95a1beb0f16} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d760db63-50ba-43b5-9916-29577df6c959} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9901d610-a360-4325-b787-d13bbf4f2a1c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9901d610-a360-4325-b787-d13bbf4f2a1c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zumipirun (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejaduaqo (Trojan.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remotecontrol8 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsi (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java quick start (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiinae (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gobehabuye (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53d02f21-9542-48de-a8bc-c8c3bdce7491}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.157,4.2.2.1,192.168.0.1 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Platte (Adware.Platte) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\ROGER\qiinae .exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
c:\documents and settings\ROGER\local settings\application data\ejaduaqo.exe (Trojan.Agent.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nwiz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre6\bin\jusched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\Local Settings\temp\ctv704.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pm_proc1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pm_proc1 .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\jusched .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\jusched.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\nwiz .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\nwiz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\qiinae.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rthdcpl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rundll32 .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rundll32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\skytel.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Platte\Get Films Now.htm (Adware.Platte) -> Quarantined and deleted successfully.
C:\Program Files\Platte\MovieRecall.htm (Adware.Platte) -> Quarantined and deleted successfully.
C:\Program Files\Platte\Platte Utility.lnk (Adware.Platte) -> Quarantined and deleted successfully.
C:\Program Files\Platte\platte.psys (Adware.Platte) -> Quarantined and deleted successfully.
C:\Program Files\Platte\pm_viewer.exe (Adware.Platte) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pm_ax.ocx (Trojan.Agent) -> Quarantined and deleted successfully.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 02 March 2010 - 03:42 AM

Okay, that quite did something, however not yet done...

Please delete your old copy of combofix and download a new one, run it and post me the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 02 March 2010 - 04:02 PM

Hi Elise,

I've replaced the old combofix with the new one and the log is below.
Also now only getting one error message once windows has finished loading:

Error loading C:\WINDOWS\ujibafidequ.dll
The specified module could not be found

Many thanks,

Graeme

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Combofix log
ComboFix 10-03-02.02 - ROGER 02/03/2010 19:54:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.186 [GMT 0:00]
Running from: c:\documents and settings\ROGER\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ROGER\rthdcpl .exe
c:\documents and settings\ROGER\rthdcpl.exe
c:\documents and settings\ROGER\rundll32 .exe
c:\documents and settings\ROGER\rundll32.exe
c:\documents and settings\ROGER\skytel .exe
c:\documents and settings\ROGER\skytel.exe
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-01 09:26 . 2010-03-01 09:26 56320 ----a-w- c:\documents and settings\ROGER\nwiz.exe
2010-02-28 18:53 . 2010-02-28 18:53 4 ----a-w- c:\program files\99640.dat
2010-02-28 18:13 . 2010-02-28 18:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-19 06:01 . 2010-02-19 06:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-18 10:23 . 2010-02-18 10:23 4 ----a-w- c:\program files\154234.dat
2010-02-17 22:15 . 2010-02-17 22:15 4 ----a-w- c:\program files\359781.dat
2010-02-17 14:46 . 2010-02-17 14:46 4 ----a-w- c:\program files\218140.dat
2010-02-17 14:42 . 2010-02-17 14:42 4 ----a-w- c:\program files\147687.dat
2010-02-17 14:40 . 2010-02-17 14:40 4 ----a-w- c:\program files\126953.dat
2010-02-17 14:37 . 2010-02-17 14:37 4 ----a-w- c:\program files\144453.dat
2010-02-17 11:56 . 2010-02-17 11:56 4 ----a-w- c:\program files\355625.dat
2010-02-17 11:49 . 2010-02-17 11:49 4 ----a-w- c:\program files\212562.dat
2010-02-17 11:41 . 2010-02-17 11:41 4 ----a-w- c:\program files\200328.dat
2010-02-17 11:36 . 2010-02-17 11:36 4 ----a-w- c:\program files\570937.dat
2010-02-17 10:44 . 2010-02-17 10:44 4 ----a-w- c:\program files\1232890.dat
2010-02-17 10:23 . 2010-02-17 10:23 4 ----a-w- c:\program files\703578.dat
2010-02-17 10:17 . 2010-02-17 10:17 4 ----a-w- c:\program files\333750.dat
2010-02-17 10:08 . 2010-02-17 10:08 4 ----a-w- c:\program files\570687.dat
2010-02-17 01:26 . 2010-02-17 01:26 4 ----a-w- c:\program files\1618328.dat
2010-02-17 01:20 . 2010-02-17 01:20 4 ----a-w- c:\program files\1302890.dat
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\ROGER\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 00:21 . 2010-02-17 00:21 4 ----a-w- c:\program files\1203156.dat
2010-02-16 23:47 . 2010-02-16 23:47 4 ----a-w- c:\program files\13430718.dat
2010-02-16 23:40 . 2010-02-16 23:40 0 ----a-w- c:\program files\12980812.dat
2010-02-16 20:03 . 2010-02-16 20:03 4 ----a-w- c:\program files\4615265.dat
2010-02-16 18:46 . 2010-02-16 18:46 4 ----a-w- c:\program files\7625984.dat
2010-02-16 16:00 . 2010-02-16 16:00 4 ----a-w- c:\program files\1247609.dat
2010-02-16 15:55 . 2010-02-16 15:55 -------- d-----w- c:\documents and settings\ROGER\Application Data\AVG9
2010-02-16 15:53 . 2010-02-16 15:53 4 ----a-w- c:\program files\841765.dat
2010-02-16 15:35 . 2010-02-16 15:40 -------- d-----w- C:\$AVG
2010-02-16 15:33 . 2010-02-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-16 14:21 . 2010-02-16 14:21 4 ----a-w- c:\program files\2156125.dat
2010-02-16 13:45 . 2010-02-16 13:45 4 ----a-w- c:\program files\798343.dat
2010-02-16 13:32 . 2010-02-16 13:32 4 ----a-w- c:\program files\1025250.dat
2010-02-16 13:09 . 2010-02-16 13:09 4 ----a-w- c:\program files\1143578.dat
2010-02-16 12:50 . 2010-02-16 12:50 4 ----a-w- c:\program files\2385812.dat
2010-02-16 12:10 . 2010-02-16 12:10 4 ----a-w- c:\program files\2799296.dat
2010-02-16 01:45 . 2010-02-16 01:45 4 ----a-w- c:\program files\1211062.dat
2010-02-16 01:24 . 2010-02-16 01:24 4 ----a-w- c:\program files\3396765.dat
2010-02-16 01:23 . 2010-02-16 01:23 4 ----a-w- c:\program files\3324781.dat
2010-02-16 00:56 . 2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-16 00:56 . 2010-02-16 15:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-16 00:56 . 2010-02-16 15:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-16 00:56 . 2010-02-16 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-16 00:55 . 2010-02-16 15:33 -------- d-----w- c:\program files\AVG
2010-02-16 00:55 . 2010-02-16 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 15:58 . 2010-02-15 15:58 4 ----a-w- c:\program files\3101875.dat
2010-02-15 15:32 . 2010-02-15 15:32 4 ----a-w- c:\program files\1510781.dat
2010-02-15 09:37 . 2010-02-15 09:37 4 ----a-w- c:\program files\941015.dat
2010-02-15 09:34 . 2010-02-17 12:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 09:01 . 2010-02-15 09:01 4 ----a-w- c:\program files\1819625.dat
2010-02-15 08:29 . 2010-02-15 08:29 4 ----a-w- c:\program files\803640.dat
2010-02-15 07:21 . 2010-02-15 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-01 01:20 . 2010-02-01 01:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-02-01 01:06 . 2010-02-01 01:06 -------- d-----w- c:\documents and settings\ROGER\Local Settings\Application Data\{8E9157C2-0ECE-42FB-B42E-4323392BEF34}
2010-02-01 01:03 . 2010-02-01 01:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 19:31 . 2009-06-06 07:38 -------- d-----w- c:\program files\QuickTime
2010-03-02 19:30 . 2008-08-28 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-01 09:08 . 2009-06-06 07:47 -------- d-----w- c:\program files\iTunes
2010-03-01 08:58 . 2009-11-23 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-03-01 08:58 . 2009-02-12 09:19 -------- d-----w- c:\program files\Free Download Manager
2010-03-01 08:58 . 2007-10-26 04:14 -------- d-----w- c:\program files\BitComet
2010-02-16 01:23 . 2008-07-25 16:14 162 ----a-w- c:\windows\system32\pinf.sys
2010-02-15 15:36 . 2007-12-23 03:27 -------- d-----w- c:\program files\Network Associates
2010-02-15 08:42 . 2009-02-12 09:20 -------- d-----w- c:\documents and settings\ROGER\Application Data\Free Download Manager
2010-02-15 07:57 . 2006-12-04 00:20 -------- d-----w- c:\program files\Lx_cats
2010-02-15 07:38 . 2007-08-24 04:46 -------- d-----w- c:\program files\Google
2010-01-17 04:48 . 2009-03-22 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 07:53 . 2009-12-26 07:53 38784 ----a-w- c:\documents and settings\ROGER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-21 19:14 . 2006-03-04 03:58 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 07:00 . 2009-12-12 07:00 152576 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 07:00 . 2009-12-04 00:27 79488 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2005-09-29 00:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-09-28 23:35 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-09-08 19:05 . 2008-07-25 16:10 321 --sh--w- c:\windows\system32\3557650112.sys
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-02 56320]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-03-02 56320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"nwiz"="nwiz.exe" [N/A]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-02 56320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2010-03-02 56320]
"Kvemukazaqa"="c:\windows\ujibafidequ.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-3 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16907:TCP"= 16907:TCP:BitComet 16907 TCP
"16907:UDP"= 16907:UDP:BitComet 16907 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 00:56 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 00:56 360584]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 19:07 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2010 00:55 297752]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/02/2010 15:33 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [22/03/2009 13:39 54752]
S2 a2free;a-squared Free Service;"e:\asquaredmalware-remote\a2service.exe" --> e:\asquaredmalware-remote\a2service.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 03:45 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UBHELPER
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-26 08:40]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: &Search
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 20:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
.
Completion time: 2010-03-02 20:02:56
ComboFix-quarantined-files.txt 2010-03-02 20:02
ComboFix2.txt 2010-03-01 09:12
ComboFix3.txt 2010-02-28 20:37

Pre-Run: 12,699,115,520 bytes free
Post-Run: 12,686,778,368 bytes free

- - End Of File - - DD91BE291D08110AA1916C019F5F7AE0


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 03 March 2010 - 08:52 AM

Still not done yet...

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
File::
c:\windows\ujibafidequ.dll
c:\documents and settings\ROGER\nwiz.exe
c:\program files\99640.dat
c:\program files\154234.dat
c:\program files\359781.dat
c:\program files\218140.dat
c:\program files\147687.dat
c:\program files\126953.dat
c:\program files\144453.dat
c:\program files\355625.dat
c:\program files\212562.dat
c:\program files\200328.dat
c:\program files\570937.dat
c:\program files\1232890.dat
c:\program files\703578.dat
c:\program files\333750.dat
c:\program files\570687.dat
c:\program files\1618328.dat
c:\program files\1302890.dat
c:\program files\1203156.dat
c:\program files\13430718.dat
c:\program files\12980812.dat
c:\program files\4615265.dat
c:\program files\7625984.dat
c:\program files\1247609.dat
c:\program files\2156125.dat
c:\program files\798343.dat
c:\program files\1025250.dat
c:\program files\1143578.dat
c:\program files\2385812.dat
c:\program files\2799296.dat
c:\program files\1211062.dat
c:\program files\3396765.dat
c:\program files\3324781.dat
c:\program files\3101875.dat
c:\program files\1510781.dat
c:\program files\941015.dat
c:\program files\1819625.dat
c:\program files\803640.dat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kvemukazaqa"=-

RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 03 March 2010 - 02:08 PM

Hi Elise,

Thanks for the combofix script. I've ran it and the log file is below.

Graeme

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Combofix.txt
ComboFix 10-03-02.02 - ROGER 03/03/2010 18:50:21.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.196 [GMT 0:00]
Running from: c:\documents and settings\ROGER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ROGER\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\ROGER\nwiz.exe"
"c:\program files\1025250.dat"
"c:\program files\1143578.dat"
"c:\program files\1203156.dat"
"c:\program files\1211062.dat"
"c:\program files\1232890.dat"
"c:\program files\1247609.dat"
"c:\program files\126953.dat"
"c:\program files\12980812.dat"
"c:\program files\1302890.dat"
"c:\program files\13430718.dat"
"c:\program files\144453.dat"
"c:\program files\147687.dat"
"c:\program files\1510781.dat"
"c:\program files\154234.dat"
"c:\program files\1618328.dat"
"c:\program files\1819625.dat"
"c:\program files\200328.dat"
"c:\program files\212562.dat"
"c:\program files\2156125.dat"
"c:\program files\218140.dat"
"c:\program files\2385812.dat"
"c:\program files\2799296.dat"
"c:\program files\3101875.dat"
"c:\program files\3324781.dat"
"c:\program files\333750.dat"
"c:\program files\3396765.dat"
"c:\program files\355625.dat"
"c:\program files\359781.dat"
"c:\program files\4615265.dat"
"c:\program files\570687.dat"
"c:\program files\570937.dat"
"c:\program files\703578.dat"
"c:\program files\7625984.dat"
"c:\program files\798343.dat"
"c:\program files\803640.dat"
"c:\program files\941015.dat"
"c:\program files\99640.dat"
"c:\windows\ujibafidequ.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ROGER\nwiz.exe
c:\documents and settings\ROGER\rthdcpl .exe
c:\documents and settings\ROGER\rthdcpl.exe
c:\documents and settings\ROGER\rundll32 .exe
c:\documents and settings\ROGER\rundll32.exe
c:\documents and settings\ROGER\skytel .exe
c:\documents and settings\ROGER\skytel.exe
c:\program files\1025250.dat
c:\program files\1143578.dat
c:\program files\1203156.dat
c:\program files\1211062.dat
c:\program files\1232890.dat
c:\program files\1247609.dat
c:\program files\126953.dat
c:\program files\12980812.dat
c:\program files\1302890.dat
c:\program files\13430718.dat
c:\program files\144453.dat
c:\program files\147687.dat
c:\program files\1510781.dat
c:\program files\154234.dat
c:\program files\1618328.dat
c:\program files\1819625.dat
c:\program files\200328.dat
c:\program files\212562.dat
c:\program files\2156125.dat
c:\program files\218140.dat
c:\program files\2385812.dat
c:\program files\2799296.dat
c:\program files\3101875.dat
c:\program files\3324781.dat
c:\program files\333750.dat
c:\program files\3396765.dat
c:\program files\355625.dat
c:\program files\359781.dat
c:\program files\4615265.dat
c:\program files\570687.dat
c:\program files\570937.dat
c:\program files\703578.dat
c:\program files\7625984.dat
c:\program files\798343.dat
c:\program files\803640.dat
c:\program files\941015.dat
c:\program files\99640.dat
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-28 18:13 . 2010-02-28 18:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-19 06:01 . 2010-02-19 06:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\ROGER\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 15:55 . 2010-02-16 15:55 -------- d-----w- c:\documents and settings\ROGER\Application Data\AVG9
2010-02-16 15:53 . 2010-02-16 15:53 4 ----a-w- c:\program files\841765.dat
2010-02-16 15:35 . 2010-02-16 15:40 -------- d-----w- C:\$AVG
2010-02-16 15:33 . 2010-02-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-16 00:56 . 2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-16 00:56 . 2010-02-16 15:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-16 00:56 . 2010-02-16 15:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-16 00:56 . 2010-02-16 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-16 00:55 . 2010-02-16 15:33 -------- d-----w- c:\program files\AVG
2010-02-16 00:55 . 2010-02-16 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 09:34 . 2010-02-17 12:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 07:21 . 2010-02-15 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 18:50 . 2009-06-06 07:38 -------- d-----w- c:\program files\QuickTime
2010-03-03 18:50 . 2009-06-06 07:47 -------- d-----w- c:\program files\iTunes
2010-03-02 19:30 . 2008-08-28 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-01 08:58 . 2009-11-23 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-03-01 08:58 . 2009-02-12 09:19 -------- d-----w- c:\program files\Free Download Manager
2010-03-01 08:58 . 2007-10-26 04:14 -------- d-----w- c:\program files\BitComet
2010-02-16 01:23 . 2008-07-25 16:14 162 ----a-w- c:\windows\system32\pinf.sys
2010-02-15 15:36 . 2007-12-23 03:27 -------- d-----w- c:\program files\Network Associates
2010-02-15 08:42 . 2009-02-12 09:20 -------- d-----w- c:\documents and settings\ROGER\Application Data\Free Download Manager
2010-02-15 07:57 . 2006-12-04 00:20 -------- d-----w- c:\program files\Lx_cats
2010-02-15 07:38 . 2007-08-24 04:46 -------- d-----w- c:\program files\Google
2010-01-17 04:48 . 2009-03-22 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 07:53 . 2009-12-26 07:53 38784 ----a-w- c:\documents and settings\ROGER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-21 19:14 . 2006-03-04 03:58 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 07:00 . 2009-12-12 07:00 152576 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 07:00 . 2009-12-04 00:27 79488 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2005-09-29 00:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-09-28 23:35 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-09-08 19:05 . 2008-07-25 16:10 321 --sh--w- c:\windows\system32\3557650112.sys
.
CODE
<pre>
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-03-02_20.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 18:18 . 2010-03-03 18:18 16384 c:\windows\temp\Perflib_Perfdata_8e0.dat
+ 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-31 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"nwiz"="nwiz.exe" [N/A]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-03 56320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-3 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16907:TCP"= 16907:TCP:BitComet 16907 TCP
"16907:UDP"= 16907:UDP:BitComet 16907 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 00:56 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 00:56 360584]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 19:07 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2010 00:55 297752]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/02/2010 15:33 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [22/03/2009 13:39 54752]
S2 a2free;a-squared Free Service;"e:\asquaredmalware-remote\a2service.exe" --> e:\asquaredmalware-remote\a2service.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 03:45 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-26 08:40]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: &Search
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
.
Completion time: 2010-03-03 18:58:43
ComboFix-quarantined-files.txt 2010-03-03 18:58
ComboFix2.txt 2010-03-02 20:02
ComboFix3.txt 2010-03-01 09:12
ComboFix4.txt 2010-02-28 20:37

Pre-Run: 12,695,896,064 bytes free
Post-Run: 12,652,535,808 bytes free

- - End Of File - - 9E720E0652DAC99CBA9DF5526B3BE695


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 03 March 2010 - 02:11 PM

Okay, that certainly looks like we are making progress smile.gif

Please run a CFScript, just like last time, but with the following script:
CODE
File::
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe


Post me Combofix's log afterwards.


Also, please launch MBAM, update it first, and run a quick scan, post me the results.

How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 03 March 2010 - 05:29 PM

Hi Elise,

Wow - this is taking some work!

I ran the comboxfix script you provided and then MBAM after updating the definitions (logs below).

The machine is running a lot better (there are now no error messages on start up) smile.gif but there were a couple of potential issues I noticed sad.gif .

After running MBAM quick scan (which found 11 infected objects) I was recommended to automatically reboot the machine to complete the removal process. This I did. However, after rebooting the machine I ran MBAM again and it detected the same 11 infected objects. I tried again, just to be sure that I did everything correctly the first time only to discover the exact same thing - those same 11 infected objects are still present. Even if I manually reboot the same situation arises.

Additionally there are 2 iexplorer.exe processes that are shown to be running in TaskManager but there's no Internet Explorer window present. A related issue is that after a session where the computer has had internet access, e.g. to update MBAM files, and the network cable has then been removed, on the next reboot I am confronted with an error message saying the system is working offline and asking me if I would like to continue working offline or go online - even though I haven't launched any programs.

There is also a further potentially suspicious processes running (edsloader .exe) [deliberate space].


**UPDATE**:
I ran MBAM with a full scan. It picked up a lot more objects than the quick scan. Now when the machine is rebooted, subsequent MBAM scans do not detect any infected objects. I have a copy of this log if it is useful.

I also note that the process edsloader .exe has not appeared in Task Manager. (Nor do there appear to be any other suspicious processes running). And the iexplorer.exe processes have not reappeared when the computer has been connected to the internet.

To me this sounds very promising... clapping.gif
Do you have any thoughts?

Many thanks,

Graeme

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Combofix.txt
ComboFix 10-03-02.02 - ROGER 03/03/2010 19:58:52.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.190 [GMT 0:00]
Running from: c:\documents and settings\ROGER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ROGER\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\QuickTime\qttask .exe"
"c:\program files\QuickTime\qttask .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ROGER\rthdcpl .exe
c:\documents and settings\ROGER\rthdcpl.exe
c:\documents and settings\ROGER\rundll32 .exe
c:\documents and settings\ROGER\rundll32.exe
c:\documents and settings\ROGER\skytel .exe
c:\documents and settings\ROGER\skytel.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe

.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 19:05 . 2010-03-03 19:05 56320 ----a-w- c:\documents and settings\ROGER\nwiz.exe
2010-02-28 18:13 . 2010-02-28 18:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2010-02-19 06:01 . 2010-02-19 06:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\ROGER\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 01:18 . 2010-02-17 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-16 15:55 . 2010-02-16 15:55 -------- d-----w- c:\documents and settings\ROGER\Application Data\AVG9
2010-02-16 15:53 . 2010-02-16 15:53 4 ----a-w- c:\program files\841765.dat
2010-02-16 15:35 . 2010-02-16 15:40 -------- d-----w- C:\$AVG
2010-02-16 15:33 . 2010-02-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-16 00:56 . 2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-16 00:56 . 2010-02-16 15:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-16 00:56 . 2010-02-16 15:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-16 00:56 . 2010-02-16 15:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-16 00:56 . 2010-02-16 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-16 00:55 . 2010-02-16 15:33 -------- d-----w- c:\program files\AVG
2010-02-16 00:55 . 2010-02-16 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-02-15 23:54 . 2010-02-15 23:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-15 09:34 . 2010-02-17 12:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 07:21 . 2010-02-15 07:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 20:04 . 2009-06-06 07:38 -------- d-----w- c:\program files\QuickTime
2010-03-03 18:50 . 2009-06-06 07:47 -------- d-----w- c:\program files\iTunes
2010-03-02 19:30 . 2008-08-28 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-01 08:58 . 2009-11-23 04:36 -------- d-----w- c:\program files\PeerGuardian2
2010-03-01 08:58 . 2009-02-12 09:19 -------- d-----w- c:\program files\Free Download Manager
2010-03-01 08:58 . 2007-10-26 04:14 -------- d-----w- c:\program files\BitComet
2010-02-16 01:23 . 2008-07-25 16:14 162 ----a-w- c:\windows\system32\pinf.sys
2010-02-15 15:36 . 2007-12-23 03:27 -------- d-----w- c:\program files\Network Associates
2010-02-15 08:42 . 2009-02-12 09:20 -------- d-----w- c:\documents and settings\ROGER\Application Data\Free Download Manager
2010-02-15 07:57 . 2006-12-04 00:20 -------- d-----w- c:\program files\Lx_cats
2010-02-15 07:38 . 2007-08-24 04:46 -------- d-----w- c:\program files\Google
2010-01-17 04:48 . 2009-03-22 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 07:53 . 2009-12-26 07:53 38784 ----a-w- c:\documents and settings\ROGER\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-21 19:14 . 2006-03-04 03:58 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 20:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 07:00 . 2009-12-12 07:00 152576 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-12 07:00 . 2009-12-04 00:27 79488 ----a-w- c:\documents and settings\ROGER\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:26 . 2005-09-29 00:02 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-09-28 23:35 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-09-08 19:05 . 2008-07-25 16:10 321 --sh--w- c:\windows\system32\3557650112.sys
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\QuickTime\qttask                            .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-03-02_20.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 19:51 . 2010-03-03 19:51 16384 c:\windows\temp\Perflib_Perfdata_1ac.dat
+ 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-03 56320]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-03-03 56320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-11 7626752]
"nwiz"="nwiz.exe" [N/A]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-11 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2010-03-03 56320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2010-03-03 56320]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-3 45056]
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-16 15:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16907:TCP"= 16907:TCP:BitComet 16907 TCP
"16907:UDP"= 16907:UDP:BitComet 16907 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [16/02/2010 00:56 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [16/02/2010 00:56 360584]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [15/05/2008 19:07 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [16/02/2010 00:55 297752]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/02/2010 15:33 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [22/03/2009 13:39 54752]
S2 a2free;a-squared Free Service;"e:\asquaredmalware-remote\a2service.exe" --> e:\asquaredmalware-remote\a2service.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/01/2010 03:45 135664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-26 08:40]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 03:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: &Search
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 20:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e3,67,94,dd,59,34,15,4f,87,a8,6f,\
.
Completion time: 2010-03-03 20:07:11
ComboFix-quarantined-files.txt 2010-03-03 20:07
ComboFix2.txt 2010-03-03 18:58
ComboFix3.txt 2010-03-02 20:02
ComboFix4.txt 2010-03-01 09:12
ComboFix5.txt 2010-03-03 19:58

Pre-Run: 12,632,276,992 bytes free
Post-Run: 12,588,621,824 bytes free

- - End Of File - - 33458DBA08C8BA3B13AF277DE2FE6F10




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% MBAM log
Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/03/2010 21:45:21
mbam-log-2010-03-03 (21-45-21).txt

Scan type: Quick Scan
Objects scanned: 127947
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\Program Files\CyberLink\PowerDVD8\Language\language.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pdvd8languageshortcut (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\CyberLink\PowerDVD8\Language\language.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\Local Settings\temp\wmpscfgs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\nwiz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rthdcpl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rundll32 .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\rundll32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ROGER\skytel.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by Teafan, 03 March 2010 - 06:28 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 PM

Posted 04 March 2010 - 03:16 AM

Yes, please post me also the log of the MBAM full scan.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Teafan

Teafan
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cardiff
  • Local time:12:57 PM

Posted 04 March 2010 - 04:23 AM

Hi Elise,

The log of the full MBAM scan is below.

Graeme

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% MBAM full scan results
Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/03/2010 22:32:38
mbam-log-2010-03-03 (22-32-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 195109
Time elapsed: 26 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 181

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quicktime task (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swg (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\QuickTime\qttask .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\QuickTime\qttask.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AVG\AVG8\alcmtr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AVG\AVG8\nwiz.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AVG\AVG8\rthdcpl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AVG\AVG8\rundll32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\AVG\AVG8\skytel.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\alcmtr .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\alcmtr.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\jusched .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\nwiz .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\nwiz.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.delme168.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.delme170.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\qiinae .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\rthdcpl .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\rthdcpl.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\rundll32 .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\rundll32.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\skytel .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\skytel.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\Application Data\Control-Center\ccagent.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\ROGER\Local Settings\Application Data\ejaduaqo.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Adobe\acrotray .exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\js.mui.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\ujibafidequ.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\alcmtr .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\alcmtr.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\app_dll.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bamonipo.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gamibuyo.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\skytel .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\herifolu.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pazodoga.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1 .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rthdcpl .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rthdcpl.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\skytel.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32 .exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\suteniro.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yorerufo.dll.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3NRgGjsiRnl.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3ojSofXvDpV.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3PoHBuPPwRe.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3QcnWucCgMD.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3qLxmARccpS.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3rVqxbsjPkp.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3RyBXahKYjO.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3vfFbMJojUa.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3VhApGNrsSi.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3VnnNocomeU.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3wfVPkkbaGs.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3xFsygeVDYY.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3xhMLwldqGC.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3xyDoGNJMNP.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3AabMyQvUqK.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3aNBOcPeSTQ.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3bfQEoQKGaY.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3dorOdCJDYH.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3ekIaubtBWq.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3ExLbIaAyXm.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3ianNsIxvaT.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3ikwDLAPkuG.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3inWWNglwqQ.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3jljncvwrdW.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3JuHpftthiM.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3kCMhepsJAW.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3kqXomTTgJm.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3lEbolaTIPN.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3LUtDXDctdi.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3lWdggYKaNk.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3mDkoOYpNwm.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3noOgbXkHRB.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3NQtaAiWdec.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000057.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000058.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000059.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000060.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000061.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000062.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000063.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000064.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000066.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000067.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000068.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000069.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000070.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000071.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000076.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000077.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000078.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000079.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000080.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000083.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000084.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000098.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000100.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000101.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000102.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000103.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000104.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000105.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000107.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000108.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000056.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000074.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000109.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000110.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000111.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000112.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000113.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000114.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000115.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000117.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP1\A0000146.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000404.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000405.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000406.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000407.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000408.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000409.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000410.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000411.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000544.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000545.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000546.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP3\A0000547.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000565.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000567.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000568.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000569.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000570.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000608.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000609.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000610.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000611.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000612.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000613.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000629.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000630.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000631.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000632.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP4\A0000566.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000805.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000807.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000808.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000809.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000810.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000839.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000840.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000841.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000842.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000806.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000843.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000991.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000992.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000993.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56686BB7-17B2-473F-821C-EB36BA31F9DE}\RP5\A0000994.exe (Trojan.Downloader) -> Quarantined and deleted successfully.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users