Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit virus ,


  • This topic is locked This topic is locked
9 replies to this topic

#1 donny008

donny008

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 03 March 2010 - 05:56 PM

Hello

I have been using kaspersky and i find a rootkit virus which is never deleted, rootkit.win32.tdss.d to be exact

could someone please help me with this. i have as attachement the gmer logs and the dds logs



DDS (Ver_09-12-01.01) - NTFSx86
Run by Donny at 22:13:06,49 on 03.03.2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.401 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hercules\Deluxe Optical Glass\Camservice.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SmartVoip.com\SmartVoip\SmartVoip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Documents and Settings\Donny\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} - c:\program files\hotbar\bin\11.0.78.0\HostIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} - c:\program files\hotbar\bin\11.0.78.0\HostIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Hotbar Information Window: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - c:\program files\hotbar\bin\11.0.78.0\HostIE.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SmartVoip] "c:\program files\smartvoip.com\smartvoip\SmartVoip.exe" -nosplash -minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [CamserviceDeluxe2] c:\program files\hercules\deluxe optical glass\Camservice.exe /startup
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
IFEO: chrome.exe - c:\program files\internet explorer\iexplore.exe
IFEO: navigator.exe - c:\program files\internet explorer\iexplore.exe
IFEO: opera.exe - c:\program files\internet explorer\iexplore.exe
IFEO: safari.exe - c:\program files\internet explorer\iexplore.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donny\applic~1\mozilla\firefox\profiles\bylxi9d6.default\
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-3-1 296976]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [2010-3-3 94720]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-5-25 303376]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 cpuz132;cpuz132;\??\c:\docume~1\donny\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\donny\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

=============== Created Last 30 ================

2010-03-03 11:27:38 10371072 ----a-w- c:\windows\system32\drivers\snpstd3.sys
2010-03-03 11:27:37 94720 ----a-w- c:\windows\system32\drivers\camfilt2.sys
2010-03-03 11:27:37 57344 ----a-w- c:\windows\system32\vsnpstd3.dll
2010-03-03 11:27:37 15478 ----a-w- c:\windows\snpstd3.ini
2010-03-03 11:27:37 13003 ----a-w- c:\windows\snpstd3.src
2010-03-03 11:27:36 53248 ----a-w- c:\windows\system32\csnpstd3.dll
2010-03-03 11:24:58 3600384 ----a-w- c:\windows\ffmpeg.exe
2010-03-03 11:24:45 0 d-----w- c:\windows\system32\HWC HD
2010-03-03 11:24:44 0 d-----w- c:\program files\Hercules
2010-03-02 14:22:17 0 d-----w- c:\program files\MVTec
2010-03-01 19:56:08 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-03-01 19:36:29 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-01 19:36:29 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-01 19:34:33 0 d-----w- c:\program files\Kaspersky Lab
2010-03-01 19:34:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-01 15:50:54 0 d-sh--w- c:\windows\system32\lowsec
2010-02-24 02:33:31 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cab4f9c0f5be20.mof
2010-02-22 19:57:39 332 ----a-w- c:\windows\system32\Compress.res
2010-02-22 19:55:35 232 ----a-w- c:\windows\reimage.ini
2010-02-22 19:54:59 0 d-----w- c:\program files\Reimage
2010-02-22 19:14:22 2 --shatr- c:\windows\winstart.bat
2010-02-22 08:13:45 0 d-----w- c:\program files\MSECache
2010-02-21 09:06:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-20 18:16:58 0 d-----w- c:\windows\system32\custom matrices
2010-02-20 18:16:23 0 d-----w- c:\windows\system32\QuickTime
2010-02-20 18:16:23 0 d-----w- c:\windows\system32\C2MP
2010-02-20 18:05:34 0 d-----w- c:\program files\Veoh Networks
2010-02-20 12:02:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-20 12:02:41 43056600 ----a-w- c:\windows\kis8.0.0.506en.exe
2010-02-10 21:21:28 0 d-----w- c:\program files\iSkysoft
2010-02-08 21:02:15 0 d-----w- C:\temp501
2010-02-08 21:01:27 5600 ----a-w- c:\windows\system\WINASPI.DLL
2010-02-08 21:01:27 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2010-02-08 21:01:27 25244 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-02-08 21:01:27 119296 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-08 21:00:52 0 d-----w- c:\program files\Nidesoft Studio

==================== Find3M ====================

2010-03-02 00:01:21 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-01 20:24:04 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-01-31 13:23:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-31 13:23:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-12 20:12:36 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-01 00:00:00 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-01-01 00:00:00 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-12-18 18:08:55 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 22:14:25,05 ===============


can someone please help

i dont know how to remove this from my system

thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 07 March 2010 - 06:53 AM

Hello my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.




++++++++++++++++++++++++++


1. Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (Right click on the file and choose extract all).
  • Double-Click (Run as administrator for Vista) TDSSKiller.exe to run it.
  • When it finished press any key to continue (Let reboot if needed).
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log.


2. Download Combofix (by Subs) from any of the links below, and save it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    • It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
**Please note**
*Leave your computer alone while ComboFix is running.
*ComboFix will restart your computer if malware is found; allow it to do so.
*Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 donny008

donny008
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 07 March 2010 - 10:37 AM

thanks for the help

and here are the logs

combo log

ComboFix 10-03-06.07 - Donny 07.03.2010 16:06:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.672 [GMT 1:00]
Running from: c:\documents and settings\Donny\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\HotbarSA
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSA.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSA_kyf.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAAbout.mht
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAau.dat
c:\documents and settings\All Users\Application Data\HotbarSA\HotbarSAEULA.mht
c:\documents and settings\All Users\Start Menu\Programs\Hotbar
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Games!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Uninstall Instructions.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Reset Cursor.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Weather.lnk
c:\documents and settings\Donny\Application Data\Hotbar
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\2605967.sdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\3340762.sdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\3786289.sdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\domains.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\104622
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\173081
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\TooltipXML\26664
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\dynamic\ustat\38f8.dat
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\ads.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\btntrans.idx
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\btntrans1.dat
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\business_promo.htm
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\buttondir.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\components.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\cursors.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_1000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_2000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_3000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bar.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bbar1.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_logos.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_other.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\d_icons_weather.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\default.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_511745-514279.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz1.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz10.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz11.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz12.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz13.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz14.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz15.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz16.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz17.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz18.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz19.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz2.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz20.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz3.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz4.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz5.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz6.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz7.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz8.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_bidz9.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_categorize.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_comparison.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_em_PROFL_CA_flow_b_IEB.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_explorer-Mails.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_explorer-people.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_favorites.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Games.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Hide.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_hotbarcom.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Hotmail.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_hsskin.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemster.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemsterie.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jemsteruk.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_jobsearch.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_Mails.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_new.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_premium.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_reun.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_ringtones.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_SearchBoxTrapper.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_searchfor.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_searchgo.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_weather.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Default_yellowpages.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\editblbuttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-548964.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-9595.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\email-t1-bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\gamesMenu.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\hb_ie_menu.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium-hotbar-premium.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\hotbar_promo.htm
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\icons2.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\ie_games_icon.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\ie_video.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\keywords.idx
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\keywords1.dat
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\layout.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\linkpathlegal.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\more.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\new_games.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\progress.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\s_icons_buttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\sales_buttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\sdfmodifier.xml
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\t2_bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\theweb.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\top7.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\Top7_theweb.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\tsd_bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\1\weathericon.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\ads.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\btntrans.idx
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\btntrans1.dat
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\business_promo.htm
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\buttondir.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\components.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\cursors.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_1000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_2000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_3000.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bar.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bbar1.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_logos.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_other.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\d_icons_weather.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\default.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_511745-514279.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz1.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz10.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz11.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz12.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz13.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz14.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz15.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz16.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz17.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz18.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz19.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz2.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz20.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz3.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz4.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz5.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz6.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz7.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz8.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_bidz9.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_categorize.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_comparison.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_em_PROFL_CA_flow_b_IEB.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_explorer-Mails.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_explorer-people.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_favorites.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_Games.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_Hide.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_hotbarcom.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_Hotmail.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_hsskin.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_jemster.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_jemsterie.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_jemsteruk.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_jobsearch.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_Mails.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_new.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_premium.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_reun.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_ringtones.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_SearchBoxTrapper.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_searchfor.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_searchgo.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_weather.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Default_yellowpages.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\editblbuttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-548964.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-9595.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\email-t1-bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\gamesmenu.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\gamesMenu.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\hb_ie_menu.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium-hotbar-premium.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\hotbar_promo.htm
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\icons2.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\ie_games_icon.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\ie_video.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\keywords.idx
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\keywords1.dat
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\layout.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\linkpathlegal.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\more.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\new_games.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\progress.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\s_icons_buttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\sales_buttons.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\sdfmodifier.xml
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\t2_bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\theweb.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\top7.cdf
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\Top7_theweb.mnu
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\tsd_bg.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\2\weathericon.res
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ads.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans1.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\business_promo.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\buttondir.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\cursors.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_1000.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_2000.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_3000.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bar.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_logos.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_other.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_weather.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\default.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\editblbuttons.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\email-t1-bg.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\gamesmenu.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hb_ie_menu.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar-premium.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar_promo.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\icons2.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_games_icon.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_video.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords1.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\layout.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\linkpathlegal.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\more.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\progress.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\s_icons_buttons.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\sales_buttons.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.txt
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\sdfmodifier.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\t2_bg.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\top7.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\tsd_bg.xip
c:\documents and settings\Donny\Application Data\Hotbar\v3.5\Hotbar\static\DownLoad\weathericon.xip
c:\documents and settings\Donny\Application Data\Hotbar\Weather\Weather_XML\General
c:\documents and settings\Donny\Application Data\Hotbar\Weather\WeatherStartup.xml
c:\documents and settings\Donny\Application Data\WeatherDPA
c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-04 21:32 . 2010-03-04 21:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-04 21:32 . 2010-03-04 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-03 11:27 . 2007-07-17 17:07 10371072 ----a-w- c:\windows\system32\drivers\snpstd3.sys
2010-03-03 11:27 . 2007-08-06 14:29 94720 ----a-w- c:\windows\system32\drivers\camfilt2.sys
2010-03-03 11:27 . 2007-04-20 15:26 57344 ----a-w- c:\windows\system32\vsnpstd3.dll
2010-03-03 11:27 . 2005-11-23 12:55 53248 ----a-w- c:\windows\system32\csnpstd3.dll
2010-03-03 11:24 . 2006-08-01 11:31 3600384 ----a-w- c:\windows\ffmpeg.exe
2010-03-03 11:24 . 2010-03-03 11:29 -------- d-----w- c:\windows\system32\HWC HD
2010-03-03 11:24 . 2010-03-03 11:24 -------- d-----w- c:\program files\Hercules
2010-03-03 11:24 . 2010-03-03 11:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-03 11:24 . 2010-03-03 11:24 -------- d-----w- c:\documents and settings\Donny\Application Data\InstallShield
2010-03-03 09:54 . 2010-03-03 09:54 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-03-02 14:22 . 2010-03-02 14:22 -------- d-----w- c:\program files\MVTec
2010-03-01 20:24 . 2010-03-01 20:24 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-03-01 20:24 . 2010-03-01 20:24 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-03-01 20:24 . 2010-03-01 20:24 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-03-01 20:24 . 2010-03-01 20:24 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-03-01 20:24 . 2010-03-01 20:24 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-03-01 19:36 . 2010-03-01 20:23 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-01 19:34 . 2010-03-07 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-01 19:34 . 2010-03-01 19:34 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-22 21:57 . 2010-02-22 21:57 -------- d-----w- c:\documents and settings\Donny\Application Data\Apple Computer
2010-02-22 19:54 . 2010-02-22 21:02 -------- d-----w- c:\program files\Reimage
2010-02-22 19:14 . 2010-02-22 19:14 2 --shatr- c:\windows\winstart.bat
2010-02-22 08:13 . 2010-02-22 08:13 -------- d-----w- c:\program files\MSECache
2010-02-21 09:06 . 2010-02-21 09:06 -------- d-----w- c:\program files\Alwil Software
2010-02-21 09:06 . 2010-02-21 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-20 18:16 . 2010-02-20 18:16 -------- d-----w- c:\windows\system32\custom matrices
2010-02-20 18:16 . 2010-02-20 18:17 -------- d-----w- c:\windows\system32\C2MP
2010-02-20 18:16 . 2010-02-20 18:16 -------- d-----w- c:\windows\system32\QuickTime
2010-02-20 18:05 . 2010-02-20 18:05 -------- d-----w- c:\program files\Veoh Networks
2010-02-20 12:02 . 2010-03-01 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-20 12:02 . 2010-02-20 12:02 43056600 ----a-w- c:\windows\kis8.0.0.506en.exe
2010-02-19 21:54 . 2010-02-20 08:51 -------- d-----w- c:\program files\Opera
2010-02-19 12:35 . 2010-02-19 12:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-02-18 19:36 . 2010-02-18 19:36 -------- d-----w- c:\documents and settings\Donny\Local Settings\Application Data\ESET
2010-02-18 17:40 . 2010-02-18 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-02-16 18:30 . 2010-02-16 18:30 -------- d-----w- c:\documents and settings\Donny\Local Settings\Application Data\PCHealth
2010-02-10 21:21 . 2010-02-10 21:21 -------- d-----w- c:\program files\iSkysoft
2010-02-08 21:02 . 2010-02-08 21:02 -------- d-----w- c:\documents and settings\Donny\Application Data\dvdcss
2010-02-08 21:02 . 2010-02-08 21:02 -------- d-----w- C:\temp501
2010-02-08 21:01 . 2005-08-24 14:28 119296 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-08 21:01 . 1999-09-10 11:06 5600 ----a-w- c:\windows\system\WINASPI.DLL
2010-02-08 21:01 . 1999-09-10 11:06 4672 ----a-w- c:\windows\system\WOWPOST.EXE
2010-02-08 21:01 . 1999-09-10 11:06 25244 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-02-08 21:00 . 2010-02-08 21:00 -------- d-----w- c:\program files\Nidesoft Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 15:19 . 2009-10-27 06:18 -------- d-----w- c:\documents and settings\Donny\Application Data\Skype
2010-03-07 15:18 . 2009-10-27 06:20 -------- d-----w- c:\documents and settings\Donny\Application Data\skypePM
2010-03-07 14:27 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-03 18:23 . 2009-10-31 06:46 -------- d-----w- c:\documents and settings\Donny\Application Data\BitTorrent
2010-03-02 16:45 . 2009-11-03 05:48 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-03-02 16:44 . 2009-10-27 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-03-02 16:44 . 2009-10-27 06:16 -------- d-----w- c:\program files\Yahoo!
2010-03-02 16:23 . 2009-12-06 17:47 -------- d-----w- c:\program files\AVS4YOU
2010-03-02 16:22 . 2009-12-06 17:47 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-03-01 20:24 . 2009-05-24 14:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-03-01 20:24 . 2010-03-01 20:24 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-03-01 20:24 . 2010-03-01 20:24 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-03-01 20:24 . 2010-03-01 20:24 296976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2010-03-01 20:24 . 2010-03-01 20:24 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-03-01 20:24 . 2010-03-01 20:24 128016 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-03-01 20:24 . 2010-03-01 19:36 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-01 20:23 . 2010-03-01 20:23 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-03-01 20:23 . 2010-03-01 20:23 59920 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-03-01 20:23 . 2010-03-01 20:23 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-03-01 20:23 . 2010-03-01 20:23 296976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2010-03-01 20:23 . 2010-03-01 20:23 128016 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-03-01 19:56 . 2010-03-01 19:56 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-02-26 20:59 . 2009-10-30 07:10 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-22 08:10 . 2009-11-07 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-17 18:31 . 2009-11-03 12:34 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-02-16 18:17 . 2009-11-25 18:44 73568 ----a-w- c:\documents and settings\Donny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-14 19:37 . 2009-10-31 07:54 -------- d-----w- c:\documents and settings\Donny\Application Data\vlc
2010-02-14 12:42 . 2010-01-31 13:21 -------- d-----w- c:\documents and settings\Donny\Application Data\PC Suite
2010-01-31 16:09 . 2010-01-31 13:19 -------- d-----w- c:\documents and settings\Donny\Application Data\Nokia
2010-01-31 16:07 . 2010-01-31 16:07 -------- d-----w- c:\documents and settings\Donny\Application Data\Nokia Ovi Suite
2010-01-31 15:40 . 2010-01-31 13:19 -------- d-----w- c:\program files\Common Files\Nokia
2010-01-31 15:39 . 2010-01-31 13:08 -------- d-----w- c:\program files\Nokia
2010-01-31 15:39 . 2010-01-31 13:16 -------- d-----w- c:\program files\DIFX
2010-01-31 15:39 . 2010-01-31 15:39 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-31 15:36 . 2010-01-31 15:35 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-31 15:35 . 2010-01-31 15:35 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-31 15:35 . 2010-01-31 15:35 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-31 15:35 . 2010-01-31 15:35 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-31 15:35 . 2010-01-31 15:35 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-31 15:35 . 2010-01-31 15:35 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-31 15:35 . 2010-01-31 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-31 15:33 . 2010-01-31 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-01-31 15:31 . 2010-01-31 15:31 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-01-31 15:30 . 2010-01-31 15:35 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_11_update.exe
2010-01-31 15:00 . 2010-01-31 13:24 -------- d-----w- c:\documents and settings\Donny\Application Data\Nseries
2010-01-31 14:23 . 2010-01-31 14:02 158528 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-31 14:13 . 2010-01-31 14:13 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2010-01-31 14:12 . 2010-01-31 14:12 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2010-01-31 14:12 . 2010-01-31 14:12 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2010-01-31 14:12 . 2010-01-31 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-31 14:12 . 2010-01-31 14:18 24403616 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_1.8.10EN.exe
2010-01-31 14:10 . 2010-01-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-01-31 13:59 . 2009-11-07 12:10 -------- d-----w- c:\program files\MSBuild
2010-01-31 13:58 . 2010-01-31 13:58 -------- d-----w- c:\program files\Reference Assemblies
2010-01-31 13:24 . 2010-01-31 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-01-31 13:23 . 2010-01-31 13:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-31 13:23 . 2010-01-31 13:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-31 13:18 . 2010-01-31 13:18 -------- d-----w- c:\program files\MSXML 6.0
2010-01-31 07:45 . 2009-11-08 09:54 -------- d-----w- c:\documents and settings\Donny\Application Data\TeamViewer
2010-01-31 07:44 . 2009-11-08 09:54 -------- d-----w- c:\program files\TeamViewer
2010-01-29 12:44 . 2010-01-29 12:22 -------- d-----w- c:\documents and settings\Donny\Application Data\Teleca
2010-01-29 12:22 . 2010-01-29 12:22 -------- d-----w- c:\documents and settings\Donny\Application Data\Sony Ericsson
2010-01-29 12:13 . 2010-01-29 12:13 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-21 13:21 . 2009-10-27 06:31 -------- d-----w- c:\documents and settings\Donny\Application Data\SmartVoip
2010-01-12 20:12 . 2010-01-12 20:12 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-01 00:00 . 2010-01-01 00:00 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-01-01 00:00 . 2010-01-01 00:00 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-12-18 18:08 . 2009-12-18 18:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-18 18:05 . 2009-12-18 18:05 152576 ----a-w- c:\documents and settings\Donny\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-18 18:05 . 2009-12-18 18:05 79488 ----a-w- c:\documents and settings\Donny\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-07 17:24 . 2009-12-06 12:28 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2010-02-14 18:53 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"SmartVoip"="c:\program files\SmartVoip.com\SmartVoip\SmartVoip.exe" [2009-11-24 9055536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CamserviceDeluxe2"="c:\program files\Hercules\Deluxe Optical Glass\Camservice.exe" [2007-08-10 81920]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\qttask.exe" [2009-09-05 417792]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Donny^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Donny\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
DevDetect.exe -autorun [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamserviceDeluxe2]
2007-08-10 13:38 81920 ----a-w- c:\program files\Hercules\Deluxe Optical Glass\CamService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 05:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
2009-07-30 16:15 9156912 ----a-w- c:\program files\FreeCall.com\FreeCall\FreeCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2009-11-06 15:00 2090272 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 14:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-18 18:09 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-02-19 00:46 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\Program Files\\SmartVoip.com\\SmartVoip\\SmartVoip.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [3/3/2010 12:27 PM 94720]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S3 cpuz132;cpuz132;\??\c:\docume~1\Donny\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\Donny\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [?]
.
.
------- Supplementary Scan -------
.
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Donny\Application Data\Mozilla\Firefox\Profiles\bylxi9d6.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-ActionVoip - c:\program files\ActionVoip.com\ActionVoip\ActionVoip.exe
MSConfigStartUp-Google Update - c:\documents and settings\Donny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-HotbarSA - c:\program files\Hotbar\bin\11.0.78.0\HotbarSA.exe
MSConfigStartUp-Jumblo - c:\program files\Jumblo.com\Jumblo\Jumblo.exe
MSConfigStartUp-Rynga - c:\program files\Rynga.com\Rynga\Rynga.exe
MSConfigStartUp-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
MSConfigStartUp-TkBellExe - c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe
MSConfigStartUp-WeatherDPA - c:\program files\Hotbar\bin\11.0.78.0\Weather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 16:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Donny\LOCALS~1\Temp\ypt2B.tmp 1 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3160)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-07 16:24:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 15:24

Pre-Run: 6.333.980.672 bytes free
Post-Run: 6.370.471.936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4205DF5BF97CAC806ADFC23DE1E72F32





tdss log


14:03:02:935 2948 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
14:03:02:935 2948 ================================================================================
14:03:02:935 2948 SystemInfo:

14:03:02:935 2948 OS Version: 5.1.2600 ServicePack: 3.0
14:03:02:935 2948 Product type: Workstation
14:03:02:935 2948 ComputerName: FRIENDS-5FBAE9F
14:03:02:935 2948 UserName: Donny
14:03:02:935 2948 Windows directory: C:\WINDOWS
14:03:02:935 2948 Processor architecture: Intel x86
14:03:02:935 2948 Number of processors: 1
14:03:02:935 2948 Page size: 0x1000
14:03:02:945 2948 Boot type: Normal boot
14:03:02:945 2948 ================================================================================
14:03:02:955 2948 UnloadDriverW: NtUnloadDriver error 2
14:03:02:955 2948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:03:03:336 2948 Initialize success
14:03:03:336 2948
14:03:03:366 2948 Scanning Services ...
14:03:03:376 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:03:03:376 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:03:03:376 2948 wfopen_ex: Trying to KLMD file open
14:03:03:376 2948 wfopen_ex: File opened ok (Flags 2)
14:03:03:376 2948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:03:03:376 2948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:03:03:376 2948 wfopen_ex: Trying to KLMD file open
14:03:03:376 2948 wfopen_ex: File opened ok (Flags 2)
14:03:05:058 2948 GetAdvancedServicesInfo: Raw services enum returned 338 services
14:03:05:058 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:03:05:108 2948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:03:05:108 2948
14:03:05:148 2948 Scanning Kernel memory ...
14:03:05:148 2948 Devices to scan: 3
14:03:05:148 2948
14:03:05:188 2948 Driver Name: Disk
14:03:05:188 2948 IRP_MJ_CREATE : F7535BB0
14:03:05:188 2948 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
14:03:05:188 2948 IRP_MJ_CLOSE : F7535BB0
14:03:05:188 2948 IRP_MJ_READ : F752FD1F
14:03:05:188 2948 IRP_MJ_WRITE : F752FD1F
14:03:05:228 2948 IRP_MJ_QUERY_INFORMATION : 804FA87E
14:03:05:228 2948 IRP_MJ_SET_INFORMATION : 804FA87E
14:03:05:228 2948 IRP_MJ_QUERY_EA : 804FA87E
14:03:05:228 2948 IRP_MJ_SET_EA : 804FA87E
14:03:05:228 2948 IRP_MJ_FLUSH_BUFFERS : F75302E2
14:03:05:228 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
14:03:05:268 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
14:03:05:268 2948 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
14:03:05:268 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
14:03:05:268 2948 IRP_MJ_DEVICE_CONTROL : F75303BB
14:03:05:268 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7533F28
14:03:05:268 2948 IRP_MJ_SHUTDOWN : F75302E2
14:03:05:328 2948 IRP_MJ_LOCK_CONTROL : 804FA87E
14:03:05:328 2948 IRP_MJ_CLEANUP : 804FA87E
14:03:05:328 2948 IRP_MJ_CREATE_MAILSLOT : 804FA87E
14:03:05:328 2948 IRP_MJ_QUERY_SECURITY : 804FA87E
14:03:05:328 2948 IRP_MJ_SET_SECURITY : 804FA87E
14:03:05:328 2948 IRP_MJ_POWER : F7531C82
14:03:05:369 2948 IRP_MJ_SYSTEM_CONTROL : F753699E
14:03:05:369 2948 IRP_MJ_DEVICE_CHANGE : 804FA87E
14:03:05:369 2948 IRP_MJ_QUERY_QUOTA : 804FA87E
14:03:05:369 2948 IRP_MJ_SET_QUOTA : 804FA87E
14:03:05:489 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
14:03:05:489 2948 sion
14:03:05:989 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:03:05:989 2948
14:03:05:989 2948 Driver Name: Disk
14:03:06:009 2948 IRP_MJ_CREATE : F7535BB0
14:03:06:009 2948 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
14:03:06:009 2948 IRP_MJ_CLOSE : F7535BB0
14:03:06:009 2948 IRP_MJ_READ : F752FD1F
14:03:06:009 2948 IRP_MJ_WRITE : F752FD1F
14:03:06:009 2948 IRP_MJ_QUERY_INFORMATION : 804FA87E
14:03:06:050 2948 IRP_MJ_SET_INFORMATION : 804FA87E
14:03:06:050 2948 IRP_MJ_QUERY_EA : 804FA87E
14:03:06:050 2948 IRP_MJ_SET_EA : 804FA87E
14:03:06:050 2948 IRP_MJ_FLUSH_BUFFERS : F75302E2
14:03:06:050 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
14:03:06:050 2948 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
14:03:06:070 2948 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
14:03:06:070 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
14:03:06:070 2948 IRP_MJ_DEVICE_CONTROL : F75303BB
14:03:06:070 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7533F28
14:03:06:070 2948 IRP_MJ_SHUTDOWN : F75302E2
14:03:06:070 2948 IRP_MJ_LOCK_CONTROL : 804FA87E
14:03:06:090 2948 IRP_MJ_CLEANUP : 804FA87E
14:03:06:090 2948 IRP_MJ_CREATE_MAILSLOT : 804FA87E
14:03:06:090 2948 IRP_MJ_QUERY_SECURITY : 804FA87E
14:03:06:090 2948 IRP_MJ_SET_SECURITY : 804FA87E
14:03:06:090 2948 IRP_MJ_POWER : F7531C82
14:03:06:090 2948 IRP_MJ_SYSTEM_CONTROL : F753699E
14:03:06:120 2948 IRP_MJ_DEVICE_CHANGE : 804FA87E
14:03:06:120 2948 IRP_MJ_QUERY_QUOTA : 804FA87E
14:03:06:120 2948 IRP_MJ_SET_QUOTA : 804FA87E
14:03:06:230 2948 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
14:03:06:230 2948 sion
14:03:06:600 2948 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:03:06:600 2948
14:03:06:600 2948 Driver Name: atapi
14:03:06:600 2948 IRP_MJ_CREATE : 86F0AA9A
14:03:06:600 2948 IRP_MJ_CREATE_NAMED_PIPE : 86F0AA9A
14:03:06:600 2948 IRP_MJ_CLOSE : 86F0AA9A
14:03:06:600 2948 IRP_MJ_READ : 86F0AA9A
14:03:06:600 2948 IRP_MJ_WRITE : 86F0AA9A
14:03:06:600 2948 IRP_MJ_QUERY_INFORMATION : 86F0AA9A
14:03:06:600 2948 IRP_MJ_SET_INFORMATION : 86F0AA9A
14:03:06:600 2948 IRP_MJ_QUERY_EA : 86F0AA9A
14:03:06:600 2948 IRP_MJ_SET_EA : 86F0AA9A
14:03:06:600 2948 IRP_MJ_FLUSH_BUFFERS : 86F0AA9A
14:03:06:600 2948 IRP_MJ_QUERY_VOLUME_INFORMATION : 86F0AA9A
14:03:06:600 2948 IRP_MJ_SET_VOLUME_INFORMATION : 86F0AA9A
14:03:06:610 2948 IRP_MJ_DIRECTORY_CONTROL : 86F0AA9A
14:03:06:610 2948 IRP_MJ_FILE_SYSTEM_CONTROL : 86F0AA9A
14:03:06:610 2948 IRP_MJ_DEVICE_CONTROL : 86F0AA9A
14:03:06:610 2948 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86F0AA9A
14:03:06:610 2948 IRP_MJ_SHUTDOWN : 86F0AA9A
14:03:06:610 2948 IRP_MJ_LOCK_CONTROL : 86F0AA9A
14:03:06:620 2948 IRP_MJ_CLEANUP : 86F0AA9A
14:03:06:620 2948 IRP_MJ_CREATE_MAILSLOT : 86F0AA9A
14:03:06:620 2948 IRP_MJ_QUERY_SECURITY : 86F0AA9A
14:03:06:620 2948 IRP_MJ_SET_SECURITY : 86F0AA9A
14:03:06:620 2948 IRP_MJ_POWER : 86F0AA9A
14:03:06:620 2948 IRP_MJ_SYSTEM_CONTROL : 86F0AA9A
14:03:06:620 2948 IRP_MJ_DEVICE_CHANGE : 86F0AA9A
14:03:06:620 2948 IRP_MJ_QUERY_QUOTA : 86F0AA9A
14:03:06:620 2948 IRP_MJ_SET_QUOTA : 86F0AA9A
14:03:06:650 2948 ihd: 0, 0, 607, 138, 3, 120, 1
14:03:06:650 2948 Driver "atapi" Irp handler infected by TDSS rootkit ... 14:03:06:650 2948 cured
14:03:06:650 2948 Driver "atapi" StartIo handler infected by TDSS rootkit ... 14:03:06:660 2948 cured
14:03:06:660 2948 siohd: 1
14:03:06:660 2948 Driver "atapi" StartIo handler infected by TDSS rootkit ... 14:03:06:670 2948 cured
14:03:06:801 2948 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
14:03:06:801 2948 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 14:03:06:801 2948 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
14:03:06:801 2948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
14:03:08:343 2948 vfvi6
14:03:08:683 2948 !dsvbh1
14:03:11:618 2948 dsvbh2
14:03:11:678 2948 fdfb2
14:03:11:688 2948 Backup copy found, using it..
14:03:11:808 2948 will be cured on next reboot
14:03:11:818 2948 Reboot required for cure complete..
14:03:11:988 2948 Cure on reboot scheduled successfully
14:03:11:988 2948
14:03:11:988 2948 Completed
14:03:11:988 2948
14:03:11:988 2948 Results:
14:03:11:988 2948 Memory objects infected / cured / cured on reboot: 3 / 3 / 0
14:03:11:988 2948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:03:11:988 2948 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:03:11:998 2948
14:03:11:998 2948 UnloadDriverW: NtUnloadDriver error 1
14:03:11:998 2948 KLMD_Unload: UnloadDriverW(klmd21) error 1
14:03:11:998 2948 KLMD(ARK) unloaded successfully


kindly guide me


donny


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 08 March 2010 - 10:22 AM

Hi, Let's remove some remnants. After the steps below, please tell me how's your pc running. Thanks.


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




+++++++++++++++++++++++


1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\program files\FreeCall.com\FreeCall\FreeCall.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/




2. Please copy the contents of the code box below, open notepad and paste it there.
  • On the top toolbar in notepad select file, then save as. In the box that opens type in look.bat for the file name.
  • Right below that click the down arrow in the line for "save as" and select all files.
  • Save this to your desktop and close notepad.
  • Locate the look.bat icon on your desktop and double click it.
  • A notepad will pop up. Copy the contents of the notepad and post it on your next reply.

CODE
@echo off
dir /x "C:\temp501" >> "%userprofile%\desktop\look.txt"
notepad "%userprofile%\desktop\look.txt"
del "%userprofile%\desktop\look.txt"
del %0




3. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




~Semp







~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 donny008

donny008
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 09 March 2010 - 07:00 PM

thanks for the help sempai

please find below the results of the different procedures

this was the info displayed for the file freecaller.exe



File size: 9156912 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 4b0ab5de5c25f6da81d2310421fb60f3
SHA1: 60d0a386e468ec5414eaab108ae83407ff5f08de
Packer (Drweb): ZLIB







this is the result from look.bat




Volume in drive C has no label.
Volume Serial Number is 7841-6837

Directory of C:\temp501

08.02.2010 22:02 <DIR> .
08.02.2010 22:02 <DIR> ..
08.02.2010 22:02 <DIR> Snapshot
0 File(s) 0 bytes
3 Dir(s) 6.285.508.608 bytes free





log of malware bytes




Malwarebytes' Anti-Malware 1.44
Database version: 3843
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10.03.2010 00:58:00
mbam-log-2010-03-10 (00-58-00).txt

Scan type: Quick Scan
Objects scanned: 117494
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



what shud i do further to save my system

thanks
don


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 10 March 2010 - 08:20 AM

Hi, how's your computer running now?


1. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .



2. Please create a new DDS and GMER log and post them for my review.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 donny008

donny008
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 11 March 2010 - 12:20 PM

hello

below is the kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, March 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, March 11, 2010 00:37:36
Records in database: 3761988
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Objects scanned: 38894
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:37:27

No threats found. Scanned area is clean.

Selected area has been scanned.




below is the dds log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Donny at 14:35:52,17 on 11.03.2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.1023.620 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
C:\Documents and Settings\Donny\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\mpcstar\codecs\quicktime\qttask.exe" -atboottime
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donny\applic~1\mozilla\firefox\profiles\bylxi9d6.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mpcstar\codecs\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-11 9216]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [2010-3-3 94720]
S3 cpuz132;cpuz132;\??\c:\docume~1\donny\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\donny\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-3-11 112640]

=============== Created Last 30 ================

2010-03-11 13:25:51 0 d-----w- c:\docume~1\donny\applic~1\FLEXnet
2010-03-11 13:17:27 112640 ----a-r- c:\windows\system32\drivers\ewusbnet.sys
2010-03-11 13:17:22 102400 ----a-r- c:\windows\system32\drivers\ewusbmdm.sys
2010-03-11 13:16:50 0 d-----w- c:\docume~1\donny\applic~1\Vodafone
2010-03-11 13:16:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Vodafone
2010-03-11 13:15:56 0 d-----w- c:\program files\Vodafone
2010-03-11 13:15:31 8464 ----a-w- c:\windows\system32\SpOrder.dll
2010-03-09 23:44:20 0 d-----w- c:\docume~1\donny\applic~1\Malwarebytes
2010-03-09 23:44:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-09 23:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-09 23:44:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 23:44:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-07 15:04:16 0 d-sha-r- C:\cmdcons
2010-03-07 14:59:29 98816 ----a-w- c:\windows\sed.exe
2010-03-07 14:59:29 77312 ----a-w- c:\windows\MBR.exe
2010-03-07 14:59:29 261632 ----a-w- c:\windows\PEV.exe
2010-03-07 14:59:29 161792 ----a-w- c:\windows\SWREG.exe
2010-03-04 21:32:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-03 11:27:38 10371072 ----a-w- c:\windows\system32\drivers\snpstd3.sys
2010-03-03 11:27:37 94720 ----a-w- c:\windows\system32\drivers\camfilt2.sys
2010-03-03 11:27:37 57344 ----a-w- c:\windows\system32\vsnpstd3.dll
2010-03-03 11:27:37 15478 ----a-w- c:\windows\snpstd3.ini
2010-03-03 11:27:37 13003 ----a-w- c:\windows\snpstd3.src
2010-03-03 11:27:36 53248 ----a-w- c:\windows\system32\csnpstd3.dll
2010-03-03 11:24:58 3600384 ----a-w- c:\windows\ffmpeg.exe
2010-03-03 11:24:45 0 d-----w- c:\windows\system32\HWC HD
2010-03-03 11:24:44 0 d-----w- c:\program files\Hercules
2010-03-02 14:22:17 0 d-----w- c:\program files\MVTec
2010-02-24 02:33:31 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cab4f9c0f5be20.mof
2010-02-22 19:57:39 332 ----a-w- c:\windows\system32\Compress.res
2010-02-22 19:55:35 232 ----a-w- c:\windows\reimage.ini
2010-02-22 19:54:59 0 d-----w- c:\program files\Reimage
2010-02-22 19:14:22 2 --shatr- c:\windows\winstart.bat
2010-02-22 08:13:45 0 d-----w- c:\program files\MSECache
2010-02-21 09:06:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-20 18:16:58 0 d-----w- c:\windows\system32\custom matrices
2010-02-20 18:16:23 0 d-----w- c:\windows\system32\QuickTime
2010-02-20 18:16:23 0 d-----w- c:\windows\system32\C2MP
2010-02-20 18:05:34 0 d-----w- c:\program files\Veoh Networks
2010-02-20 12:02:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-20 12:02:41 43056600 ----a-w- c:\windows\kis8.0.0.506en.exe
2010-02-10 21:21:28 0 d-----w- c:\program files\iSkysoft

==================== Find3M ====================

2010-03-07 14:27:13 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-31 13:23:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-01-31 13:23:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-12 20:12:36 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-01 00:00:00 324096 ----a-w- c:\windows\system32\TomsMoComp_ff.dll
2010-01-01 00:00:00 248320 ----a-w- c:\windows\system32\ff_kernelDeint.dll
2009-12-18 18:08:55 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 14:36:12,30 ===============



does this mean now my computer is clean ?



Attached Files



#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 12 March 2010 - 08:03 AM

Hi Donny,

Yes your logs are clean.... but I would like to inform you that one of the infections that we removed is a backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall



++++++++

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of  Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.



Please let me know if you still have any issues..... Thanks.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 16 March 2010 - 07:29 AM

Hi, are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:22 AM

Posted 17 March 2010 - 04:25 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users