Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista 2010 Virus av.exe


  • This topic is locked This topic is locked
38 replies to this topic

#1 raff

raff

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 March 2010 - 08:03 AM

Hi all. For the past 4 weeks I have been struggling to get rid of the vista 2010 virus and its associated problems.

Yesterday I booted into safe mode and ran; Malwarebytes, Spybot, AVG, Superantispyware and ccleaner. I also checked through google and removed a variety of malicious registry entries, (not all entries that I read about were there). Well, about an hour after doing all this I went to do something and the bloody thing was back!! WTF

As said I have spent a good deal of time and effort trying to get rid of this cr@p and have finally given up. Can someone PLEASE help me, I have included a Hijackthis log, thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:09, on 01/03/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\raff\Downloads\utorrent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerStrip\PStrip.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent Turbo Accelerator\uTorrent Turbo Accelerator.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\regedit.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?hl=en&tab=wm#inbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SMTTB2009 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\WebScout Toolbar\tbcore3.dll
O3 - Toolbar: WebScout Toolbar - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\WebScout Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Users\raff\Downloads\utorrent.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\raff\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: PowerStrip.lnk = C:\Program Files\PowerStrip\PStrip.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 5735 bytes



I had done the trend House call scan and I had the User account control turned off so I started it again but still this cr@p got in. I also deleted all temporary files, cookies and web browsing history.

I have also tried these instructions:

http://www.2-viruses.com/remove-vista-antispyware-2010


The bloody thing seems to go then a day or so later its back, the PC scans clean with all anti-virus/spyware programs. Where is it getting in? crazy.gif

Please, PLEASE help!


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 01 March 2010 - 04:51 PM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.



=============



The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for the following boxes. Please uncheck these boxes.
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 March 2010 - 09:24 PM

Thanks for the help Sam. This has been a real pain. Reports are as follow:

OTL logfile created on: 02/03/2010 01:46:03 - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\raff\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 31.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.48 Gb Total Space | 29.74 Gb Free Space | 20.30% Space Free | Partition Type: NTFS
Drive D: | 552.15 Gb Total Space | 62.29 Gb Free Space | 11.28% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 465.65 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
Drive F: | 2.70 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RAFF-PC
Current User Name: raff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/02 00:07:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\raff\Desktop\OTL.exe
PRC - [2010/02/28 16:29:53 | 000,319,280 | ---- | M] (BitTorrent, Inc.) -- C:\Users\raff\Downloads\utorrent.exe
PRC - [2010/02/26 12:46:48 | 000,396,288 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
PRC - [2010/02/20 17:41:05 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/20 17:41:04 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/02/20 17:41:04 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/02/20 17:41:04 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/02/20 17:41:04 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/02/20 17:38:59 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/19 16:57:12 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/18 09:44:42 | 000,731,136 | ---- | M] (WebSpeeders LLC) -- C:\Program Files\uTorrent Turbo Accelerator\uTorrent Turbo Accelerator.exe
PRC - [2010/01/11 21:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/12/22 01:57:30 | 000,349,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
PRC - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Anti-Malware\a2service.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/11 18:23:16 | 000,738,336 | ---- | M] (EnTech Taiwan) -- C:\Program Files\PowerStrip\PStrip.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/10/24 19:34:53 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/09/30 11:48:28 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/01/19 07:38:32 | 000,319,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\MpCmdRun.exe
PRC - [2007/09/19 06:50:44 | 004,702,208 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/03/06 10:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 00:07:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\raff\Desktop\OTL.exe
MOD - [2010/02/20 17:41:10 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
MOD - [2009/04/11 06:28:21 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msi.dll
MOD - [2009/04/11 06:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/19 07:36:24 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sfc_os.dll
MOD - [2006/11/02 09:46:13 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sfc.dll
MOD - [2006/11/02 09:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msiltcfg.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (zopwq)
SRV - File not found [Auto | Stopped] -- -- (xicujr)
SRV - File not found [Auto | Stopped] -- -- (wjgpzkkk)
SRV - File not found [Auto | Stopped] -- -- (tiqhkt)
SRV - File not found [Auto | Stopped] -- -- (rxrddmpwq)
SRV - File not found [Auto | Stopped] -- -- (rnuotoqxr)
SRV - File not found [Auto | Stopped] -- -- (pmfmxs)
SRV - File not found [Auto | Stopped] -- -- (nnviu)
SRV - File not found [Auto | Stopped] -- -- (ixdrsoztt)
SRV - File not found [Auto | Stopped] -- -- (gcfwi)
SRV - File not found [Auto | Stopped] -- -- (efuzpaub)
SRV - File not found [Auto | Stopped] -- -- (dlgdiqbz)
SRV - File not found [Auto | Stopped] -- -- (ayeokqah)
SRV - [2010/02/20 17:38:59 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/01/25 10:02:20 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/11 21:00:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2009/09/25 01:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/10/24 19:34:53 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/09/30 11:48:28 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/01/19 07:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/03/06 10:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)
SRV - [2006/11/02 12:35:29 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?hl=en&tab=wm#inbox
IE - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\S-1-5-21-1757698349-3404511116-2836484845-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\S-1-5-21-1757698349-3404511116-2836484845-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.60
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {B9C8BE50-7105-4ec6-8FB4-4935C0671648}:0.5.995
FF - prefs.js..extensions.enabledItems: ga-IE@dictionaries.addons.mozilla.org:4.4
FF - prefs.js..extensions.enabledItems: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9}:1.0
FF - prefs.js..extensions.enabledItems: {75656794-AB59-4712-BFBC-5D816D56F3BC}:1.1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/02/20 17:38:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/19 16:57:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/19 16:57:25 | 000,000,000 | ---D | M]

[2008/07/03 13:56:37 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Mozilla\Extensions
[2010/03/01 09:33:34 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions
[2009/07/11 01:03:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/25 19:09:41 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/03/01 09:33:22 | 000,000,000 | ---D | M] (WebScout Toolbar) -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
[2010/02/11 23:28:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\{B9C8BE50-7105-4ec6-8FB4-4935C0671648}
[2010/02/02 00:51:44 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2008/09/21 14:12:51 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2008/09/21 14:12:51 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\extensions\ga-IE@dictionaries.addons.mozilla.org
[2008/07/05 07:00:33 | 000,001,504 | ---- | M] () -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\searchplugins\imdb.xml
[2008/07/05 07:00:45 | 000,001,032 | ---- | M] () -- C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Profiles\o0md0y5m.default\searchplugins\wikipedia-eng.xml
[2010/03/01 09:33:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/29 15:22:46 | 000,000,000 | ---D | M] (Sukoku) -- C:\Program Files\Mozilla Firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
[2009/08/12 15:40:17 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/12 15:40:17 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/12 15:40:17 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/29 15:22:47 | 000,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\sukoku115.xml
[2009/09/04 19:56:56 | 000,002,381 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\sukoku117.xml
[2009/08/12 15:40:17 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/02/25 13:35:53 | 000,380,856 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 13122 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (WebScout Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files\WebScout Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000..\Run: [Google Update] C:\Users\raff\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000..\Run: [uTorrent] C:\Users\raff\Downloads\utorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Users\raff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerStrip.lnk = C:\Program Files\PowerStrip\PStrip.exe (EnTech Taiwan)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\..Trusted Domains: o2.co.uk ([*.broadband] http in Trusted sites)
O15 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000\..Trusted Domains: o2.co.uk ([*.broadband] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Users\raff\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/24 08:41:29 | 000,000,057 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{51de01e9-5117-11dd-b9f6-001d7da93f64}\Shell - "" = AutoRun
O33 - MountPoints2\{51de01e9-5117-11dd-b9f6-001d7da93f64}\Shell\AutoRun\command - "" = F:\Borderlands.exe -- File not found
O33 - MountPoints2\{e873bb8d-5d50-11dd-9a92-001d7da93f64}\Shell - "" = AutoRun
O33 - MountPoints2\{e873bb8d-5d50-11dd-9a92-001d7da93f64}\Shell\AutoRun\command - "" = G:\DarkAthena_Launcher.exe -- File not found
O33 - MountPoints2\{e873bb8d-5d50-11dd-9a92-001d7da93f64}\Shell\play\command - "" = G:\DarkAthena_Launcher.exe -- File not found
O33 - MountPoints2\{f5d46159-e270-11de-ab80-001d7da93f64}\Shell - "" = AutoRun
O33 - MountPoints2\{f5d46159-e270-11de-ab80-001d7da93f64}\Shell\AutoRun\command - "" = L:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/07/29 09:27:50 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: xicujr - File not found
NetSvcs: dlgdiqbz - File not found
NetSvcs: wjgpzkkk - File not found
NetSvcs: ixdrsoztt - File not found
NetSvcs: rnuotoqxr - File not found
NetSvcs: pmfmxs - File not found
NetSvcs: nnviu - File not found
NetSvcs: ayeokqah - File not found
NetSvcs: tiqhkt - File not found
NetSvcs: gcfwi - File not found
NetSvcs: rxrddmpwq - File not found
NetSvcs: zopwq - File not found
NetSvcs: efuzpaub - File not found
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/02 01:46:36 | 000,000,000 | ---D | C] -- C:\Users\raff\Desktop\gmer
[2010/03/02 01:43:03 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Users\raff\Desktop\OTL.exe
[2010/03/01 09:34:12 | 000,000,000 | ---D | C] -- C:\Program Files\1C Company
[2010/03/01 09:32:41 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent Turbo Accelerator
[2010/02/28 18:42:59 | 000,000,000 | ---D | C] -- C:\Program Files\WebScout Toolbar
[2010/02/27 14:08:26 | 000,000,000 | ---D | C] -- C:\Users\raff\Desktop\TIMESHARE
[2010/02/26 12:46:48 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/24 12:43:52 | 000,000,000 | ---D | C] -- C:\Users\raff\Desktop\NecroVisioN Lost Company
[2010/02/20 17:41:32 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/02/20 17:41:08 | 000,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/20 17:38:58 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/02 01:48:17 | 007,077,888 | -HS- | M] () -- C:\Users\raff\ntuser.dat
[2010/03/02 00:57:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1757698349-3404511116-2836484845-1000UA.job
[2010/03/02 00:20:43 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 00:20:43 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 00:07:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\raff\Desktop\OTL.exe
[2010/03/01 21:07:59 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/01 21:07:59 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/01 21:07:59 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/01 19:57:27 | 000,026,112 | ---- | M] () -- C:\Users\raff\Documents\NaíScoi fire planl.doc
[2010/03/01 18:46:50 | 000,128,256 | ---- | M] () -- C:\Users\raff\Desktop\DEV-GRAppForm.pdf
[2010/03/01 12:52:47 | 000,001,032 | -HS- | M] () -- C:\Users\raff\AppData\Local\5B4t56F8r4rw
[2010/03/01 12:52:39 | 000,187,392 | -HS- | M] () -- C:\Users\raff\AppData\Local\av.exe
[2010/03/01 11:16:16 | 056,483,219 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/03/01 09:48:32 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/03/01 09:48:31 | 000,006,144 | ---- | M] () -- C:\Users\raff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/01 09:32:52 | 000,001,020 | ---- | M] () -- C:\Users\Public\Desktop\uTorrent Turbo Accelerator.lnk
[2010/03/01 02:57:00 | 000,000,850 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1757698349-3404511116-2836484845-1000Core.job
[2010/02/28 18:40:10 | 000,008,337 | ---- | M] () -- C:\Users\raff\AppData\Roaming\PStrip.ini
[2010/02/28 18:40:09 | 000,008,337 | ---- | M] () -- C:\Users\raff\AppData\Roaming\PStrip.bak
[2010/02/28 18:22:11 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/02/28 18:21:17 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/02/28 18:21:11 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/02/28 18:20:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/02/28 18:19:26 | 000,524,288 | -HS- | M] () -- C:\Users\raff\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 18:19:26 | 000,065,536 | -HS- | M] () -- C:\Users\raff\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/02/28 18:18:40 | 000,008,360 | ---- | M] () -- C:\Users\raff\AppData\Roaming\PStrip.bk!
[2010/02/28 18:18:23 | 002,965,216 | -H-- | M] () -- C:\Users\raff\AppData\Local\IconCache.db
[2010/02/28 16:49:20 | 000,107,029 | ---- | M] () -- C:\Users\raff\Desktop\bookmarks-2010-02-28.json
[2010/02/28 16:31:47 | 000,002,788 | -HS- | M] () -- C:\Users\raff\AppData\Local\3lWA80e66MIo
[2010/02/28 13:55:07 | 3880,910,848 | ---- | M] () -- C:\Users\raff\Desktop\SHORTS.iso
[2010/02/27 15:55:30 | 000,280,576 | ---- | M] () -- C:\Users\raff\Desktop\Foirm_Iarratais_Sceim_na_nImeachtai_Oige_2010_11.doc
[2010/02/27 12:29:15 | 000,000,285 | ---- | M] () -- C:\Users\raff\Desktop\exefix.reg
[2010/02/27 10:20:24 | 000,011,106 | -HS- | M] () -- C:\Users\raff\AppData\Local\vC7T1jSucn6Bd
[2010/02/26 12:49:57 | 000,000,036 | ---- | M] () -- C:\Users\raff\AppData\Local\housecall.guid.cache
[2010/02/26 12:46:49 | 000,001,874 | ---- | M] () -- C:\Users\raff\Desktop\HijackThis.lnk
[2010/02/26 12:27:16 | 000,004,239 | ---- | M] () -- C:\Users\raff\AppData\Roaming\PStrip.bko
[2010/02/26 12:17:26 | 000,066,360 | ---- | M] () -- C:\Users\raff\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/26 12:00:44 | 000,010,476 | -HS- | M] () -- C:\Users\raff\AppData\Local\HACL0GM47D
[2010/02/26 11:48:56 | 000,027,136 | ---- | M] () -- C:\Users\raff\Documents\Gildernew.doc
[2010/02/25 19:39:33 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/02/25 19:14:05 | 000,006,824 | -HS- | M] () -- C:\Users\raff\AppData\Local\JoQP5tu6W
[2010/02/25 13:35:53 | 000,380,856 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/02/25 13:26:33 | 000,009,406 | -HS- | M] () -- C:\Users\raff\AppData\Local\go8BnXJqTyF4k
[2010/02/24 08:41:29 | 000,000,057 | ---- | M] () -- C:\autoexec.bat
[2010/02/24 00:55:19 | 000,010,834 | -HS- | M] () -- C:\Users\raff\AppData\Local\iHFx3
[2010/02/24 00:53:48 | 000,000,020 | ---- | M] () -- C:\Windows\System32\crt.dat
[2010/02/20 17:43:51 | 000,142,495 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/02/20 17:41:15 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/02/20 17:41:15 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/02/20 17:41:10 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/02/20 17:41:08 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/02/20 17:41:08 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/02/20 08:36:02 | 000,001,146 | -HS- | M] () -- C:\Users\raff\AppData\Local\v66l66MW5Tq
[2010/02/16 12:49:12 | 000,028,672 | ---- | M] () -- C:\Users\raff\Documents\Vitamin .doc
[2010/02/16 11:51:08 | 024,962,321 | ---- | M] () -- C:\Users\raff\Desktop\Angels MEDI.mp3
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/01 19:57:26 | 000,026,112 | ---- | C] () -- C:\Users\raff\Documents\NaíScoi fire planl.doc
[2010/03/01 18:46:50 | 000,128,256 | ---- | C] () -- C:\Users\raff\Desktop\DEV-GRAppForm.pdf
[2010/03/01 12:52:40 | 000,001,032 | -HS- | C] () -- C:\Users\raff\AppData\Local\5B4t56F8r4rw
[2010/03/01 12:52:39 | 000,187,392 | -HS- | C] () -- C:\Users\raff\AppData\Local\av.exe
[2010/03/01 09:32:52 | 000,001,020 | ---- | C] () -- C:\Users\Public\Desktop\uTorrent Turbo Accelerator.lnk
[2010/02/28 16:49:20 | 000,107,029 | ---- | C] () -- C:\Users\raff\Desktop\bookmarks-2010-02-28.json
[2010/02/28 16:31:18 | 000,002,788 | -HS- | C] () -- C:\Users\raff\AppData\Local\3lWA80e66MIo
[2010/02/28 13:52:45 | 3880,910,848 | ---- | C] () -- C:\Users\raff\Desktop\SHORTS.iso
[2010/02/27 15:55:30 | 000,280,576 | ---- | C] () -- C:\Users\raff\Desktop\Foirm_Iarratais_Sceim_na_nImeachtai_Oige_2010_11.doc
[2010/02/27 12:28:37 | 000,000,285 | ---- | C] () -- C:\Users\raff\Desktop\exefix.reg
[2010/02/27 07:54:48 | 000,011,106 | -HS- | C] () -- C:\Users\raff\AppData\Local\vC7T1jSucn6Bd
[2010/02/26 16:52:53 | 000,006,144 | ---- | C] () -- C:\Users\raff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/26 12:49:57 | 000,000,036 | ---- | C] () -- C:\Users\raff\AppData\Local\housecall.guid.cache
[2010/02/26 12:46:49 | 000,001,874 | ---- | C] () -- C:\Users\raff\Desktop\HijackThis.lnk
[2010/02/26 11:49:12 | 000,010,476 | -HS- | C] () -- C:\Users\raff\AppData\Local\HACL0GM47D
[2010/02/26 11:48:56 | 000,027,136 | ---- | C] () -- C:\Users\raff\Documents\Gildernew.doc
[2010/02/25 19:39:33 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/02/25 19:10:00 | 000,006,824 | -HS- | C] () -- C:\Users\raff\AppData\Local\JoQP5tu6W
[2010/02/25 12:05:50 | 000,009,406 | -HS- | C] () -- C:\Users\raff\AppData\Local\go8BnXJqTyF4k
[2010/02/24 00:53:48 | 000,000,020 | ---- | C] () -- C:\Windows\System32\crt.dat
[2010/02/24 00:53:37 | 000,010,834 | -HS- | C] () -- C:\Users\raff\AppData\Local\iHFx3
[2010/02/20 08:36:02 | 000,001,146 | -HS- | C] () -- C:\Users\raff\AppData\Local\v66l66MW5Tq
[2010/02/16 12:49:12 | 000,028,672 | ---- | C] () -- C:\Users\raff\Documents\Vitamin .doc
[2010/02/16 11:46:00 | 024,962,321 | ---- | C] () -- C:\Users\raff\Desktop\Angels MEDI.mp3
[2010/02/16 11:37:38 | 035,412,309 | ---- | C] () -- C:\Users\raff\Desktop\Tara Sutphen - Akashic Records Guided Meditation.mp3
[2010/02/16 11:33:00 | 028,536,960 | ---- | C] () -- C:\Users\raff\Desktop\Tara Sutphen - Angels of Light Guided Meditation.mp3
[2010/02/15 07:19:46 | 000,011,754 | -HS- | C] () -- C:\Users\raff\AppData\Local\86S46Vh322ctJ
[2010/02/13 09:32:59 | 000,000,726 | -HS- | C] () -- C:\Users\raff\AppData\Local\GGru612642m
[2010/02/11 07:23:31 | 000,000,730 | -HS- | C] () -- C:\Users\raff\AppData\Local\R4AlO7HdsW5
[2010/02/01 19:18:00 | 000,011,590 | -HS- | C] () -- C:\Users\raff\AppData\Local\3067W2i6Qn
[2010/02/01 07:18:51 | 000,009,428 | -HS- | C] () -- C:\Users\raff\AppData\Local\OWSaTbG
[2010/01/30 17:16:00 | 000,010,116 | -HS- | C] () -- C:\Users\raff\AppData\Local\rifW
[2010/01/28 09:14:12 | 000,009,782 | -HS- | C] () -- C:\Users\raff\AppData\Local\qrly
[2010/01/27 08:10:04 | 000,010,714 | -HS- | C] () -- C:\Users\raff\AppData\Local\WRblt8464P
[2009/12/16 02:22:14 | 000,025,088 | ---- | C] () -- C:\Windows\System32\GsiDi32.dll
[2009/08/10 20:33:01 | 000,000,175 | ---- | C] () -- C:\Users\raff\AppData\Roaming\default.rss
[2009/07/23 16:37:28 | 000,008,360 | ---- | C] () -- C:\Users\raff\AppData\Roaming\PStrip.bk!
[2009/07/23 16:36:37 | 000,004,239 | ---- | C] () -- C:\Users\raff\AppData\Roaming\PStrip.bko
[2009/07/20 14:35:56 | 000,008,337 | ---- | C] () -- C:\Users\raff\AppData\Roaming\PStrip.bak
[2009/07/17 16:53:52 | 000,008,337 | ---- | C] () -- C:\Users\raff\AppData\Roaming\PStrip.ini
[2009/07/14 20:49:10 | 000,034,800 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/07/14 20:49:01 | 000,034,800 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/05/29 07:11:09 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/08 19:12:24 | 000,279,712 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2009/05/08 19:12:23 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2009/03/05 05:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2008/10/31 23:24:12 | 000,000,026 | ---- | C] () -- C:\Windows\MdlOptiflash.INI
[2008/10/31 22:57:15 | 000,000,000 | ---- | C] () -- C:\Windows\optiflash.INI
[2008/10/26 11:02:40 | 000,022,328 | ---- | C] () -- C:\Users\raff\AppData\Roaming\PnkBstrK.sys
[2008/09/27 14:21:07 | 000,000,026 | ---- | C] () -- C:\Windows\dvdSanta.INI
[2008/09/27 14:20:13 | 000,921,600 | ---- | C] () -- C:\Windows\System32\vorbisenc.dll
[2008/09/27 14:20:13 | 000,237,568 | ---- | C] () -- C:\Windows\System32\OggDS.dll
[2008/09/27 14:20:13 | 000,188,416 | ---- | C] () -- C:\Windows\System32\vorbis.dll
[2008/09/27 14:20:13 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ogg.dll
[2008/08/17 19:47:14 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2008/08/14 13:48:38 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini
[2008/08/08 16:08:02 | 000,000,180 | ---- | C] () -- C:\Users\raff\AppData\Roaming\default.pls
[2008/07/23 14:29:55 | 000,000,032 | ---- | C] () -- C:\ProgramData\ezsid.dat
[2008/07/13 20:01:28 | 000,685,816 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2008/07/07 22:48:03 | 000,047,360 | ---- | C] () -- C:\Windows\System32\drivers\Surroundhp_kern_i386.sys
[2008/07/07 22:48:03 | 000,047,104 | ---- | C] () -- C:\Windows\System32\drivers\tshd4_kern_i386.sys
[2008/07/07 22:48:03 | 000,042,112 | ---- | C] () -- C:\Windows\System32\drivers\csiidecoder_kern_i386.sys
[2008/07/07 22:48:03 | 000,039,808 | ---- | C] () -- C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys
[2008/07/05 13:52:03 | 000,000,276 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2008/07/03 14:37:28 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008/07/03 14:05:46 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
[2008/07/03 13:30:36 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/07/03 13:25:36 | 001,216,512 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/07/03 13:25:35 | 000,237,568 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2007/11/26 20:56:28 | 000,151,415 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2002/10/15 22:54:04 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar.dll

========== LOP Check ==========

[2007/01/01 03:38:31 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Anonymizer
[2008/11/30 15:17:44 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\avidemux
[2009/08/11 18:34:21 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2010/02/14 15:28:01 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Binverse
[2010/02/16 11:38:58 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\foobar2000
[2008/08/29 23:14:33 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\gnupg
[2008/08/04 00:41:09 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Gold Casual Games
[2008/07/03 13:55:18 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Grisoft
[2008/11/30 15:17:37 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\gtk-2.0
[2009/10/27 11:55:57 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\IrfanView
[2009/09/19 08:41:36 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Leadertech
[2008/07/16 17:03:49 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\SupportSoft
[2009/11/07 20:54:11 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\SystemRequirementsLab
[2008/11/27 10:59:26 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Ulead Systems
[2010/03/02 01:48:45 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\uTorrent
[2008/09/27 11:41:16 | 000,000,000 | ---D | M] -- C:\Users\raff\AppData\Roaming\Xilisoft Corporation
[2010/02/28 18:19:04 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/19 07:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/19 07:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 07:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 07:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\agp440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 07:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 07:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/01/19 05:06:48 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/01/19 05:06:48 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008/01/19 04:33:23 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 07:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 07:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 09:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 06:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 06:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/19 07:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 07:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 07:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/19 07:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 09:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 06:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 06:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 11:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 11:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2008/01/19 07:35:15 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\msvbvm60.dll
[2009/04/11 06:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 06:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
< End of report >


**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 02:20:51
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\raff\AppData\Local\Temp\kxldrpob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85D251E8
Device \FileSystem\fastfat \FatCdrom 85BA8790
Device \Driver\volmgr \Device\VolMgrControl 85D221E8
Device \Driver\usbuhci \Device\USBPDO-0 86CBC790
Device \Driver\usbuhci \Device\USBPDO-1 86CBC790
Device \Driver\usbuhci \Device\USBPDO-2 86CBC790
Device \Driver\usbuhci \Device\USBPDO-3 86CBC790
Device \Driver\usbehci \Device\USBPDO-4 86CB3790

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\volmgr \Device\HarddiskVolume1 85D221E8
Device \Driver\volmgr \Device\HarddiskVolume2 85D221E8
Device \Driver\cdrom \Device\CdRom0 86CB5790
Device \Driver\volmgr \Device\HarddiskVolume3 85D221E8
Device \Driver\cdrom \Device\CdRom1 86CB5790
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D241E8
Device \Driver\atapi \Device\Ide\IdePort0 85D241E8
Device \Driver\atapi \Device\Ide\IdePort1 85D241E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85D241E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 85D241E8
Device \Driver\netbt \Device\NetBt_Wins_Export 874051E8
Device \Driver\PCI_NTPNP8878 \Device\0000004a sptd.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{A2EA9528-DCAD-4EC9-B490-F782B98664B1} 874051E8
Device \Driver\iScsiPrt \Device\RaidPort0 86E41790

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 86CBC790
Device \Driver\usbuhci \Device\USBFDO-1 86CBC790
Device \Driver\usbuhci \Device\USBFDO-2 86CBC790
Device \Driver\usbuhci \Device\USBFDO-3 86CBC790
Device \Driver\usbehci \Device\USBFDO-4 86CB3790
Device \Driver\ate7g4rj \Device\Scsi\ate7g4rj1 86E03790
Device \Driver\ate7g4rj \Device\Scsi\ate7g4rj1Port3Path0Target0Lun0 86E03790
Device \FileSystem\fastfat \Fat 85BA8790

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] ayeokqah <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] dlgdiqbz <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] efuzpaub <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] gcfwi <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] ixdrsoztt <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] nnviu <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] pmfmxs <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] rnuotoqxr <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] rxrddmpwq <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] tiqhkt <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] wjgpzkkk <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] xicujr <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] zopwq <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0xEA 0xFC 0x7E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x55 0xAD 0x47 0xFB ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x9E 0xC7 0xC4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xFA 0xCE 0x2E 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@DisplayName Task Center
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah@Description Scan your computer for unwanted software, schedule scans, and get the latest unwanted software definitions.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ayeokqah\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@DisplayName Driver Server
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz@Description iPod hardware management services
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\dlgdiqbz\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@DisplayName Microsoft System
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub@Description The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\efuzpaub\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@DisplayName Installer Server
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi@Description Manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gcfwi\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@DisplayName Time Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt@Description iPod hardware management services
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ixdrsoztt\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@DisplayName Monitor Center
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu@Description Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nnviu\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@DisplayName Windows Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs@Description Ad-Aware service
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\pmfmxs\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@DisplayName Server System
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr@Description Coordinates transactions between MSDTC and the Kernel Transaction Manager (KTM).
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\rnuotoqxr\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@DisplayName Network Server
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\rxrddmpwq\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0xEA 0xFC 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x10 0x6B 0x37 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDA 0xDE 0x5F 0x7B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x22 0xBB 0xD5 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@DisplayName Config Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt@Description Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\tiqhkt\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@DisplayName Network Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk@Description Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\wjgpzkkk\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@DisplayName Installer Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr@Description Maintains and improves system performance over time.
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\xicujr\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@DisplayName Update Shell
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq@Description Manages user-mode driver host processes
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\zopwq\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@DisplayName Task Center
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah@Description Scan your computer for unwanted software, schedule scans, and get the latest unwanted software definitions.
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ayeokqah\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@DisplayName Driver Server
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz@Description iPod hardware management services
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\dlgdiqbz\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@DisplayName Microsoft System
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub@Description The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\efuzpaub\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@DisplayName Installer Server
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi@Description Manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gcfwi\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@DisplayName Time Monitor
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt@Description iPod hardware management services
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ixdrsoztt\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@DisplayName Monitor Center
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu@Description Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nnviu\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@DisplayName Windows Network
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs@Description Ad-Aware service
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\pmfmxs\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@DisplayName Server System
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr@Description Coordinates transactions between MSDTC and the Kernel Transaction Manager (KTM).
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rnuotoqxr\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@DisplayName Network Server
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq@Description Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rxrddmpwq\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x08 0xEA 0xFC 0x7E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8C 0x9B 0x71 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x59 0x05 0x82 0x96 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x22 0xBB 0xD5 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@DisplayName Config Monitor
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt@Description Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\tiqhkt\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@DisplayName Network Monitor
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk@Description Serves as the endpoint mapper and COM Service Control Manager. If this service is stopped or disabled, programs using COM or Remote Procedure Call (RPC) services will not function properly.
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\wjgpzkkk\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@DisplayName Installer Network
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr@Description Maintains and improves system performance over time.
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\xicujr\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@DisplayName Update Shell
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq@Description Manages user-mode driver host processes
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\zopwq\Parameters@ServiceDll C:\Windows\system32\xfiiasuh.dll

---- EOF - GMER 1.0.15 ----


Thanks for taking the time to check this out. Any idea of how it kept getting in or why my usual anti-virus/spyware missed it?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 02 March 2010 - 08:06 AM

It's hard to pin point exactly how you may have become infected. Although I do see uTorrent running and that significantly increases your risk. I don't recommend file sharing programs, but if you do use them don't have them running all the time.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (zopwq)
    SRV - File not found [Auto | Stopped] -- -- (xicujr)
    SRV - File not found [Auto | Stopped] -- -- (wjgpzkkk)
    SRV - File not found [Auto | Stopped] -- -- (tiqhkt)
    SRV - File not found [Auto | Stopped] -- -- (rxrddmpwq)
    SRV - File not found [Auto | Stopped] -- -- (rnuotoqxr)
    SRV - File not found [Auto | Stopped] -- -- (pmfmxs)
    SRV - File not found [Auto | Stopped] -- -- (nnviu)
    SRV - File not found [Auto | Stopped] -- -- (ixdrsoztt)
    SRV - File not found [Auto | Stopped] -- -- (gcfwi)
    SRV - File not found [Auto | Stopped] -- -- (efuzpaub)
    SRV - File not found [Auto | Stopped] -- -- (dlgdiqbz)
    SRV - File not found [Auto | Stopped] -- -- (ayeokqah)
    O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKU\S-1-5-21-1757698349-3404511116-2836484845-1000..\Run: [uTorrent]

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


========================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 02 March 2010 - 01:35 PM

Hi Sam, I had just done the OTL bit of your instructions and was in the process of doing the online scan when the av.exe started again and shut down the scan and IE. SO I used the reg fix I got at: http://www.2-viruses.com/remove-vista-antispyware-2010 and am in the process of doing the scan again.

The log from OTL is as follows:


All processes killed
========== OTL ==========
Service zopwq stopped successfully!
Service zopwq deleted successfully!
Service xicujr stopped successfully!
Service xicujr deleted successfully!
Service wjgpzkkk stopped successfully!
Service wjgpzkkk deleted successfully!
Service tiqhkt stopped successfully!
Service tiqhkt deleted successfully!
Service rxrddmpwq stopped successfully!
Service rxrddmpwq deleted successfully!
Service rnuotoqxr stopped successfully!
Service rnuotoqxr deleted successfully!
Service pmfmxs stopped successfully!
Service pmfmxs deleted successfully!
Service nnviu stopped successfully!
Service nnviu deleted successfully!
Service ixdrsoztt stopped successfully!
Service ixdrsoztt deleted successfully!
Service gcfwi stopped successfully!
Service gcfwi deleted successfully!
Service efuzpaub stopped successfully!
Service efuzpaub deleted successfully!
Service dlgdiqbz stopped successfully!
Service dlgdiqbz deleted successfully!
Service ayeokqah stopped successfully!
Service ayeokqah deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1757698349-3404511116-2836484845-1000\Software\Microsoft\Windows\CurrentVersion\Run\\uTorrent deleted successfully.
File not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41044 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: raff
->Temp folder emptied: 3774777 bytes
->Temporary Internet Files folder emptied: 16663076 bytes
->Java cache emptied: 16955583 bytes
->FireFox cache emptied: 112199222 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 7506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 155648 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3668 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 14504669786 bytes

Total Files Cleaned = 13,976.00 mb


OTL by OldTimer - Version 3.1.32.0 log created on 03022010_170105

Files\Folders moved on Reboot...
File\Folder C:\Users\raff\AppData\Local\Temp\A9R1329.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\A9R132D.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8A51.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8A56.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8A9F.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8AA4.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8AC9.tmp not found!
File\Folder C:\Users\raff\AppData\Local\Temp\~DF8ACE.tmp not found!
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UNEEIQZ1\history_manager[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UNEEIQZ1\mail[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UNEEIQZ1\redirectiframe[1].html moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZOP16VA\mail[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SZOP16VA\rpc[1].js moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B31AJ0C8\10[2].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B31AJ0C8\DEV-CommSuppAppFormOVER500[1].pdf moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B31AJ0C8\mail[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03KA8HFR\contact[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03KA8HFR\facebook_com[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03KA8HFR\facebook_com[2].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03KA8HFR\funding-ni[1].htm moved successfully.
C:\Users\raff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03KA8HFR\mail[1].htm moved successfully.

Registry entries deleted on Reboot...

#6 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 02 March 2010 - 03:15 PM

The other scan finished and although before the av.exe closed it it was showing 9 infections it now states none!

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 03 March 2010 - 08:30 AM

Is there a log found here? If so, please post it.
C:\Program Files\EsetOnlineScanner\log.txt


Please download RKill from one of these links. Save it to your desktop and run it.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 03 March 2010 - 12:39 PM

The log is as follows:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e16358e892efd74cb051f832fddc672e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-02 07:47:17
# local_time=2010-03-02 07:47:17 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 370063 370063 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 870933 870933 0 0
# compatibility_mode=5892 16776574 100 100 82132 105087599 0 0
# compatibility_mode=8192 67108863 100 0 8191 8191 0 0
# compatibility_mode=9730 16764925 100 95 534347 68793559 0 0
# scanned=160290
# found=0
# cleaned=0
# scan_time=4365


and already have rkill & mbam so will do those this evening, thanks

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 03 March 2010 - 12:45 PM

Ok. Also when you post back include the log from RKill which should be found at C:\rkill.log
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 03 March 2010 - 01:54 PM

Sorry Sam but no log generated at that address and I can't find it elsewhere either. MalwareBytes found two infections and the log is as follows:

Malwarebytes' Anti-Malware 1.44
Database version: 3821
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

03/03/2010 18:54:26
mbam-log-2010-03-03 (18-54-26).txt

Scan type: Quick Scan
Objects scanned: 105179
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\raff\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\raff\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 03 March 2010 - 02:04 PM

Ok, no problem. How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 03 March 2010 - 02:18 PM

QUOTE(Buckeye_Sam @ Mar 3 2010, 07:04 PM) View Post
Ok, no problem. How is your computer behaving now?



It is going good as it normally does, then after a few hours or days boom this pain is back! I hope now with the extra steps you have shown that the vulnerability that was allowing it through is now plugged, will report back in a few days if all remains good.


Thank you very much for taking the time to help, this was a real pain and hopefully is over.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:20 PM

Posted 04 March 2010 - 08:14 AM

Sounds good. Just follow up with me in a few days and if all is well I'll post some final steps for you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 March 2010 - 01:09 PM

OK three days and all is going well, thank you very much Sam, you're a star!!

#15 raff

raff
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 08 March 2010 - 04:26 AM

Oh cr@p its back!! I do not know what is going on here! Just started the PC today and here it is!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users