Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello I been having problems with my comp plz help.


  • This topic is locked This topic is locked
30 replies to this topic

#1 moris

moris

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 28 April 2010 - 10:36 PM

Hey everyone i'm new to this forum so i hope i posted int he right section.

Ok my problem began 4 or 5 days ago, I scanned my computer with Malwarebytes and found the virus i removed it and it came back after the restart. I used hijack this and a german website that shows you what files are bad and need to be fixed. I did all that fixed them and restarted.After i restarted they came back than i used smithfraudfix did clean scan for hijack DNS all of that and than turned it on there was nothing, no virus nothing. Used malwareBytes to scan the computer with Ad-Aware, and norton and spyware doctor came back in the morning malware bytes found 47 infections and the other scanners found infections also I removed them all and than restarted the viruses didnt go away. I had to take drastic measures and used Combo Fix there were no Anti malware programs on at the time and so i continued clicked it and it said detecting spyware doctor anit malware or w/e so i ran it and stuff and it worked fine. It should me the log of the stuff it deleted and my computer was fine. Now here comes the problem I have when combo removed those things it showed me the log which i will post and i was glad it removed them but..... I looked at my taskmanager and they are back. My computer would just open random webpages when i had the virus in like 3 mins ago it opened some netflix page also my mouse has the hour glass next to it every 10 seconds and some kind of a process keeps restarting in the task manager.... Between all of those days i have been getting that hour glass thing next to my mouse and webpage opening. I did get a name of the virus xp security tool 2010 i have reasons to believe i removed it bc i used a guide for smithfraud on how to remove it and used a trojan fakere an exe.reg file that would let me delet some registry which i couldnt.... Also i see this file popping up and iam using google chrome "would you like to make internet explorer your default browser... it keeps showing up. And for no reason right now i have iexplorer.exe running when iam on chrome... Also i unistalled every anit malware program i had and got a brand new combo fix from a different computer and ran it and it keeps saying i have spyware doctor running but i dont bc i unistalled it.

Here are the logs


For combofix




ComboFix 10-04-26.05 - MORIS 04/27/2010 22:18:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1211 [GMT -7:00]
Running from: F:\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\5R6uLSM2.exe
c:\documents and settings\MORIS\Application Data\0200000044cb8bb1891C.manifest
c:\documents and settings\MORIS\Application Data\0200000044cb8bb1891O.manifest
c:\documents and settings\MORIS\Application Data\0200000044cb8bb1891P.manifest
c:\documents and settings\MORIS\Application Data\0200000044cb8bb1891S.manifest
c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{d198baab-5a72-4e82-af7c-2b2bb2dba2b4}
c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{d198baab-5a72-4e82-af7c-2b2bb2dba2b4}\chrome.manifest
c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{d198baab-5a72-4e82-af7c-2b2bb2dba2b4}\chrome\xulcache.jar
c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{d198baab-5a72-4e82-af7c-2b2bb2dba2b4}\defaults\preferences\xulcache.js
c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{d198baab-5a72-4e82-af7c-2b2bb2dba2b4}\install.rdf
c:\documents and settings\MORIS\Local Settings\Application Data\{B3A39938-B3FB-43DC-AE45-9A51079B0152}
c:\documents and settings\MORIS\Local Settings\Application Data\{B3A39938-B3FB-43DC-AE45-9A51079B0152}\chrome.manifest
c:\documents and settings\MORIS\Local Settings\Application Data\{B3A39938-B3FB-43DC-AE45-9A51079B0152}\chrome\content\_cfg.js
c:\documents and settings\MORIS\Local Settings\Application Data\{B3A39938-B3FB-43DC-AE45-9A51079B0152}\chrome\content\overlay.xul
c:\documents and settings\MORIS\Local Settings\Application Data\{B3A39938-B3FB-43DC-AE45-9A51079B0152}\install.rdf
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\ltmoh\Ltmoh.exe
c:\program files\Shared
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Toshiba\Toshiba Applet\thotkey.exe
c:\windows\Help\rgb.chm
c:\windows\system32\404Fix.exe
c:\windows\system32\853864732
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\unrar.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\At100.job
c:\windows\Ujeqea.exe
c:\windows\wpe pro.INI

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 04:57 . 2010-04-28 05:00 -------- d-----w- c:\windows\SxsCaPendDel
2010-04-27 12:00 . 2010-04-27 12:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-27 07:48 . 2010-04-27 07:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-27 07:47 . 2010-04-27 07:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-27 06:48 . 2010-04-27 06:48 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\Threat Expert
2010-04-27 05:01 . 2010-04-27 05:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
2010-04-27 03:16 . 2009-04-12 09:48 52224 --sh--r- C:\MSI.com
2010-04-26 13:32 . 2010-04-26 13:32 5136 ----a-w- c:\windows\system32\youja_.dll
2010-04-25 22:37 . 2010-04-28 05:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 22:26 . 2010-04-28 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-25 22:26 . 2010-04-25 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-25 22:26 . 2010-04-25 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-25 22:00 . 2010-04-25 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Conduit
2010-04-25 22:00 . 2010-04-25 22:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Vuze_Remote
2010-04-25 21:38 . 2010-04-25 21:38 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\Conduit
2010-04-25 21:38 . 2010-04-25 21:38 -------- d-----w- c:\program files\Conduit
2010-04-25 21:38 . 2010-04-25 21:38 8851392 ------w- c:\documents and settings\MORIS\Application Data\Azureus\tmp\AZU3950688538197296288.tmp\Vuze_4.4.0.0a_win32.exe
2010-04-25 20:32 . 2010-04-25 20:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-25 20:27 . 2010-04-25 20:27 -------- d-----w- c:\program files\Common Files\Java
2010-04-25 20:27 . 2010-04-25 20:27 61440 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f30e3c4-n\decora-sse.dll
2010-04-25 20:27 . 2010-04-25 20:27 12800 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3f30e3c4-n\decora-d3d.dll
2010-04-25 20:27 . 2010-04-25 20:27 503808 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c5a1d57-n\msvcp71.dll
2010-04-25 20:27 . 2010-04-25 20:27 499712 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c5a1d57-n\jmc.dll
2010-04-25 20:27 . 2010-04-25 20:27 348160 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c5a1d57-n\msvcr71.dll
2010-04-25 20:27 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 20:23 . 2010-04-28 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-24 08:12 . 2010-04-24 08:12 -------- d-----w- c:\documents and settings\MORIS\Application Data\Yahoo!
2010-04-24 08:12 . 2010-04-24 08:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-24 08:12 . 2010-04-24 08:12 -------- d-----w- c:\program files\Yahoo!
2010-04-24 08:12 . 2010-04-24 08:12 -------- d-----w- c:\program files\CCleaner
2010-04-23 22:08 . 2010-04-23 22:08 4736 ----a-w- c:\windows\system32\o.sys
2010-04-23 05:16 . 2010-04-23 05:16 70656 --sha-r- c:\windows\system32\kanji_1J.dll
2010-04-11 19:55 . 2010-04-11 19:55 -------- d-----w- C:\Perfect World Entertainment
2010-04-07 05:43 . 2010-04-07 04:40 258352 ----a-w- c:\windows\system32\unicows.dll
2010-04-07 04:39 . 2010-04-07 05:43 -------- d-----w- c:\documents and settings\MORIS\Application Data\GetRightToGo
2010-04-05 16:16 . 2010-04-28 04:42 -------- d-----w- C:\Games
2010-04-05 15:36 . 2010-04-05 16:58 -------- d-----w- c:\program files\World of Kungfu Europe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 05:24 . 2009-11-04 06:32 -------- d-----w- c:\program files\ltmoh
2010-04-28 05:13 . 2009-12-02 19:58 -------- d-----w- c:\program files\DNA
2010-04-28 05:13 . 2009-12-02 19:58 -------- d-----w- c:\documents and settings\MORIS\Application Data\DNA
2010-04-28 05:04 . 2009-11-05 04:56 -------- d-----w- c:\documents and settings\MORIS\Application Data\LimeWire
2010-04-28 05:03 . 2009-11-05 22:41 -------- d-----w- c:\documents and settings\MORIS\Application Data\Skype
2010-04-28 05:03 . 2009-11-05 03:17 -------- d-----w- c:\documents and settings\MORIS\Application Data\Xfire
2010-04-28 05:02 . 2009-11-21 19:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-28 04:40 . 2010-04-24 09:16 112 ----a-w- c:\documents and settings\All Users\Application Data\5flf5gf2l.dat
2010-04-28 00:51 . 2009-11-15 08:54 -------- d-----w- c:\documents and settings\MORIS\Application Data\vlc
2010-04-28 00:41 . 2009-11-06 02:50 -------- d-----w- c:\documents and settings\MORIS\Application Data\Azureus
2010-04-28 00:36 . 2009-11-05 22:41 -------- d-----w- c:\documents and settings\MORIS\Application Data\skypePM
2010-04-27 22:26 . 2009-11-04 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-27 10:39 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-26 05:30 . 2009-11-06 02:49 -------- d-----w- c:\program files\Vuze
2010-04-25 20:27 . 2009-11-04 06:37 -------- d-----w- c:\program files\Java
2010-04-25 20:17 . 2009-11-07 02:39 -------- d-----w- c:\program files\Windows Live
2010-04-24 07:43 . 2010-02-19 00:21 120 ----a-w- c:\windows\Wwufadotex.dat
2010-04-24 07:12 . 2010-02-19 00:21 0 ----a-w- c:\windows\Ncukahinalulin.bin
2010-04-23 22:05 . 2010-04-23 22:05 37376 ----a-w- c:\windows\Fonts\Cp2i2N.com
2010-04-23 22:05 . 2010-02-22 03:03 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-23 05:14 . 2010-04-23 05:13 1077248 --sha-w- c:\windows\system32\1470.tmp
2010-03-30 07:46 . 2009-11-04 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-11-04 23:07 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 03:30 . 2010-03-25 03:30 -------- d-----w- c:\program files\IObit
2010-03-17 23:45 . 2010-03-15 13:34 -------- d-----w- c:\program files\Runes of Magic
2010-03-15 21:44 . 2010-03-15 05:34 -------- d-----w- c:\documents and settings\MORIS\Application Data\FOG Downloader
2010-02-26 06:10 . 2010-02-26 06:10 6462 ----a-r- c:\documents and settings\MORIS\Application Data\Microsoft\Installer\{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}\_7128E1F9F222A8E24D3CAA.exe
2010-02-26 06:10 . 2010-02-26 06:10 21630 ----a-r- c:\documents and settings\MORIS\Application Data\Microsoft\Installer\{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}\_ED5A694DDDFCA3353724A2.exe
2010-02-26 06:10 . 2010-02-26 06:10 21630 ----a-r- c:\documents and settings\MORIS\Application Data\Microsoft\Installer\{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}\_CFD6D42B6B589B419C4C1C.exe
2010-02-26 06:10 . 2010-02-26 06:10 21630 ----a-r- c:\documents and settings\MORIS\Application Data\Microsoft\Installer\{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}\_6FEFF9B68218417F98F549.exe
2010-02-19 00:16 . 2010-02-19 00:16 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat
.
CODE
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DNA\btdna .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
c:\program files\Windows Live\Messenger\msnmsgr         .exe
c:\program files\Windows Live\Messenger\msnmsgr        .exe
c:\program files\Windows Live\Messenger\msnmsgr       .exe
c:\program files\Windows Live\Messenger\msnmsgr      .exe
c:\program files\Windows Live\Messenger\msnmsgr     .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-24 37384]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-04-24 37384]
"Microsoft Software Installer"="c:\microsoft software installer\MSI.exe" [2009-04-12 52224]
"Google Update"="c:\documents and settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-28 37388]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [N/A]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NDSTray.exe"="NDSTray.exe" [N/A]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [N/A]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-04-25 37388]

c:\documents and settings\MORIS\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-11-5 3152272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-11-3 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
calcnify REG_SZ c:\windows\system32\qfecasks.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype .exe"=

R2 k;k;c:\windows\system32\o.sys [4/23/2010 3:08 PM 4736]
S0 gxojs;gxojs; [x]
S3 SVRPEDRV;SVRPEDRV;\??\d:\bin\PEDrv.sys --> d:\bin\PEDrv.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1383384898-682003330-1003Core.job
- c:\documents and settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-28 00:37]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1383384898-682003330-1003UA.job
- c:\documents and settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-28 00:37]

2010-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-07 06:18]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...






Here is Hijack this.



Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 20:00:45, on 4/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Microsoft Software Installer\MSI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\All Users\Application Data\5R6uLSM2.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\DNA\btdna .exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Microsoft Software Installer] C:\Microsoft Software Installer\MSI.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_v1004 Class) - http://www.netgame.com/mplugin/mglaunch_USAv1005.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 5212 bytes















Also i would like to remove some files but i cant like btdna.exe i just cant remove it.... This is a very interesting virus and right now i removed this from earlier but it is back 5R6uLSM2.exe and i dont know why i have 2 instances of chrome running when i have one tab and one chrome open..

Edited by Budapest, 28 April 2010 - 10:41 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 03 May 2010 - 10:26 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 12 May 2010 - 09:43 AM

Due to lack of feedback, this topic will now be closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 19 August 2010 - 04:17 PM

Reopened as requested. I will paste in your log as well. Please post me also the other requested logs.

OTL logfile created on: 8/19/2010 10:07:54 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\MORIS\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 64.71 Gb Free Space | 43.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MORIS-829EBC444
Current User Name: MORIS
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/19 10:07:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MORIS\My Documents\Downloads\OTL.exe
PRC - [2010/02/18 11:43:18 | 000,248,040 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched .exe
PRC - [2007/09/19 21:48:51 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/11/28 12:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 12:29:00 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 12:28:14 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/17 16:44:38 | 000,798,720 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
PRC - [2005/11/02 17:41:04 | 000,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/10/06 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/07/21 19:38:24 | 000,901,120 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
PRC - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/08/28 01:37:00 | 000,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2010/08/19 10:07:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MORIS\My Documents\Downloads\OTL.exe
MOD - [2007/09/19 21:35:28 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/03 15:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\msapps\comsrvr.exe -- (COMServer)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/11/28 12:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2005/11/28 12:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2005/11/28 12:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva309.sys -- (XDva309)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\BIN\PEDrv.sys -- (SVRPEDRV)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Nexon\MapleStory\npkcrypt.sys -- (npkcrypt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - [2010/04/23 15:08:25 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2007/09/19 21:33:16 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/12/16 17:15:06 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/09 17:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/05 02:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/11/28 13:09:26 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/11/15 10:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/10/20 15:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/10/06 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/10/06 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/10/06 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/10/06 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/10/06 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/10/06 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/10/06 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/24 16:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/06/02 04:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]

IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://google.atcomet.com/b/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.21


[2009/11/06 19:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Extensions
[2009/11/04 21:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/11/05 19:50:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\extensions
[2009/11/05 19:50:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/07/23 02:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions
[2010/06/13 16:01:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/13 21:42:20 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2010/02/21 03:22:32 | 000,712,704 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2009/11/09 18:30:56 | 000,189,592 | ---- | M] (MGame) -- C:\Program Files\Mozilla Firefox\plugins\NPMFireLauncher.dll

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.6.22.dll (BitComet)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe File not found
O4 - HKLM..\Run: [CFSServ.exe] File not found
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Mobile Connectivity Suite] C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe ()
O4 - HKLM..\Run: [mSpot] C:\Program Files\mSpot\mSpot\mSpot.exe ()
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [Google Update] C:\Documents and Settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr .exe File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent .exe (BitTorrent, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\MORIS\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.6.22.dll (BitComet)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} http://www.netgame.com/mplugin/mglaunch_USAv1005.cab (MGLaunch_v1004 Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.128.12
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/03 22:45:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/17 14:31:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MORIS\My Documents\Runes of Magic
[2010/08/17 01:48:28 | 000,000,000 | ---D | C] -- C:\Program Files\Runes of Magic
[2010/08/16 23:28:28 | 000,000,000 | ---D | C] -- C:\Runes_of_Magic_3.0.1.2153
[2010/08/15 11:18:09 | 000,000,000 | ---D | C] -- C:\Program Files\directx
[2010/08/15 11:13:58 | 000,000,000 | ---D | C] -- C:\Sierra
[2010/08/14 18:15:06 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/14 15:58:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/08/08 19:45:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Application Data\vlc
[2010/08/04 05:35:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Desktop\Defcon
[2010/08/03 23:02:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Local Settings\Application Data\mSpot
[2010/08/03 23:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\mSpot
[2010/08/03 17:46:29 | 000,000,000 | ---D | C] -- C:\Program Files\Free M4a to MP3 Converter
[2010/08/03 15:28:06 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/07/31 14:25:25 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/07/31 14:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Application Data\Teleca
[2010/07/31 14:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Local Settings\Application Data\HTC
[2010/07/31 14:20:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HTC
[2010/07/31 14:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Teleca Shared
[2010/07/31 14:20:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2010/07/31 14:19:42 | 001,122,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WdfCoInstaller01007.dll
[2010/07/31 14:19:42 | 000,024,576 | ---- | C] (HTC, Corporation) -- C:\WINDOWS\System32\drivers\ANDROIDUSB.sys
[2010/07/31 14:19:38 | 000,000,000 | ---D | C] -- C:\Program Files\Spirent Communications
[2010/07/31 14:19:33 | 000,000,000 | ---D | C] -- C:\Program Files\HTC
[2010/07/31 14:18:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/07/31 13:59:41 | 000,031,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/07/29 16:26:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Desktop\Downloads
[2010/07/29 15:54:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\My Documents\LimeWire
[2010/07/29 15:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/07/28 13:19:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nexon
[2010/07/27 15:37:17 | 000,000,000 | ---D | C] -- C:\Nexon
[2009/11/03 23:34:41 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/19 10:09:40 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\MORIS\NTUSER.DAT
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At144.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At143.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At142.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At141.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At140.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At139.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At138.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At137.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At136.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At135.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At134.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At133.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At132.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At131.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At130.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At129.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At128.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At127.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At126.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At125.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At124.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At123.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At122.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At121.job
[2010/08/19 10:08:01 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\5flf5gf2l.dat
[2010/08/19 10:08:00 | 000,072,706 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\5R6uLSM2.exe
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At99.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At98.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At97.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At120.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At119.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At118.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At117.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At116.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At115.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At114.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At113.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At112.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At111.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At110.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At109.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At108.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At107.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At106.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At105.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At104.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At103.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At102.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At101.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At100.job
[2010/08/18 23:00:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At96.job
[2010/08/18 23:00:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At72.job
[2010/08/18 23:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/08/18 23:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/08/18 22:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At95.job
[2010/08/18 22:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At71.job
[2010/08/18 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/08/18 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/08/18 21:11:36 | 000,000,279 | ---- | M] () -- C:\Shortcut to Local Disk ©.lnk
[2010/08/18 21:10:42 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/08/18 21:10:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/18 21:10:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/18 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At94.job
[2010/08/18 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At70.job
[2010/08/18 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/08/18 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/08/18 20:00:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At69.job
[2010/08/18 20:00:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/08/18 20:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At93.job
[2010/08/18 20:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At92.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At91.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At90.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At89.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At88.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At87.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At86.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At85.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At84.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At83.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At82.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At81.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At80.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At79.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At78.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At77.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At76.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At75.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At74.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At73.job
[2010/08/18 19:31:06 | 000,000,314 | RHS- | M] () -- C:\boot.ini
[2010/08/18 19:29:45 | 000,047,024 | ---- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/18 19:29:21 | 000,214,472 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/18 19:28:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\MORIS\ntuser.ini
[2010/08/18 19:06:20 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At64.job
[2010/08/18 19:06:20 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/08/18 19:06:20 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/08/18 14:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At63.job
[2010/08/18 14:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/08/18 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/08/18 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At62.job
[2010/08/18 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/08/18 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/08/18 12:45:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/18 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At61.job
[2010/08/18 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/08/18 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/08/18 11:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At60.job
[2010/08/18 11:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/08/18 11:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At68.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At67.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At66.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At65.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At59.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At58.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At57.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At56.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At55.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At54.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At53.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At52.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At51.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At50.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At49.job
[2010/08/17 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/08/17 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/08/17 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/08/17 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/08/17 16:00:04 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/08/17 16:00:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/08/17 14:19:59 | 000,158,208 | ---- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/17 14:16:16 | 006,062,084 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\ewrg4.mpg
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/08/17 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/08/17 02:21:25 | 000,001,614 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Runes of Magic.lnk
[2010/08/17 02:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/08/17 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/08/17 00:37:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/08/16 23:10:31 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Battle of the Immortals.lnk
[2010/08/15 21:01:10 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\h.doc
[2010/08/15 11:25:47 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth - The Art of Conquest.lnk
[2010/08/15 11:21:46 | 000,000,515 | ---- | M] () -- C:\WINDOWS\SIERRA.INI
[2010/08/15 11:17:42 | 000,001,531 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth.lnk
[2010/08/14 18:31:41 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\MORIS R. V. resume.doc
[2010/08/14 18:11:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/14 16:15:45 | 004,317,540 | -H-- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\IconCache.db
[2010/08/14 15:59:37 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/08 19:21:58 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/08/03 17:46:30 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\MORIS\Application Data\Microsoft\Internet Explorer\Quick Launch\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,735 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\My Music Tools.lnk
[2010/08/03 15:28:08 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\YouTube Downloader.lnk
[2010/08/02 14:22:05 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\U.P. Letter.doc
[2010/08/01 23:42:53 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\26.doc
[2010/07/31 14:25:31 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
[2010/07/31 14:25:30 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/28 00:32:37 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\OPERATION7.lnk
[2010/07/27 22:08:02 | 001,976,296 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Operation7Downloader-20100325.exe
[2010/07/27 20:15:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\w9vij7cc.exe
[2010/07/27 15:42:31 | 000,001,497 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Combat Arms.lnk
[2010/07/22 20:22:03 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/22 20:22:03 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/22 20:22:03 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At144.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At143.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At142.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At141.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At140.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At139.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At138.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At137.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At136.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At135.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At134.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At133.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At132.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At131.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At130.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At129.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At128.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At127.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At126.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At125.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At124.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At123.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At122.job
[2010/08/19 10:08:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At121.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At99.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At98.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At97.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At120.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At119.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At118.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At117.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At116.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At115.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At114.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At113.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At112.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At111.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At110.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At109.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At108.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At107.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At106.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At105.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At104.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At103.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At102.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At101.job
[2010/08/18 23:15:57 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At100.job
[2010/08/18 21:11:36 | 000,000,279 | ---- | C] () -- C:\Shortcut to Local Disk ©.lnk
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At96.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At95.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At94.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At93.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At92.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At91.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At90.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At89.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At88.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At87.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At86.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At85.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At84.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At83.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At82.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At81.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At80.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At79.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At78.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At77.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At76.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At75.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At74.job
[2010/08/18 19:46:50 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At73.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At72.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At71.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At70.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At69.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At68.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At67.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At66.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At65.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At64.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At63.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At62.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At61.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At60.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At59.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At58.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At57.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At56.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At55.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At54.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At53.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At52.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At51.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At50.job
[2010/08/18 10:15:43 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At49.job
[2010/08/17 14:16:02 | 006,062,084 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\ewrg4.mpg
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2010/08/17 13:10:17 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2010/08/17 13:10:16 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2010/08/17 02:21:25 | 000,001,614 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\Runes of Magic.lnk
[2010/08/16 23:30:44 | 000,072,706 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5R6uLSM2.exe
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/08/16 23:30:44 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/08/15 21:01:09 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\h.doc
[2010/08/15 11:25:47 | 000,001,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth - The Art of Conquest.lnk
[2010/08/15 11:17:42 | 000,001,531 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth.lnk
[2010/08/15 11:14:03 | 000,000,515 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/08/14 15:59:37 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/03 17:46:30 | 000,000,758 | ---- | C] () -- C:\Documents and Settings\MORIS\Application Data\Microsoft\Internet Explorer\Quick Launch\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,735 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\My Music Tools.lnk
[20

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 moris

moris
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 19 August 2010 - 11:30 PM

EXTRAS!!!________________________________



OTL Extras logfile created on: 8/19/2010 10:07:54 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\MORIS\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 64.71 Gb Free Space | 43.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MORIS-829EBC444
Current User Name: MORIS
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"57768:TCP" = 57768:TCP:*:Enabled:Pando Media Booster
"57768:UDP" = 57768:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"57768:TCP" = 57768:TCP:*:Enabled:Pando Media Booster
"57768:UDP" = 57768:UDP:*:Enabled:Pando Media Booster
"8378:TCP" = 8378:TCP:*:Enabled:League of Legends Launcher
"8378:UDP" = 8378:UDP:*:Enabled:League of Legends Launcher
"7845:TCP" = 7845:TCP:*:Enabled:BitComet 7845 TCP
"7845:UDP" = 7845:UDP:*:Enabled:BitComet 7845 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- File not found
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- (Nexon)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe" = C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe:*:Enabled:ConfigFree SUMMIT Engine -- (TOSHIBA CORPORATION)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- File not found
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- ()
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Riot Games\League of Legends\air\LolClient.exe" = C:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- ()
"C:\Riot Games\League of Legends\game\League of Legends.exe" = C:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- ()
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- (www.BitComet.com)
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Civilization4.exe" = C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 Complete -- (Firaxis Games)
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Warlords\Civ4Warlords.exe" = C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4: Warlords -- (Firaxis Games)
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization 4 Complete\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4: Beyond the Sword -- (Firaxis Games)
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe" = C:\Program Files\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe:*:Enabled:Sid Meier's Civilization IV Colonization -- (Firaxis Games)
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- (Nexon)
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- (Nexon)
"C:\Nexon\Combat Arms\NMService.exe" = C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core -- (Nexon Corp.)
"C:\Program Files\uTorrent\uTorrent .exe" = C:\Program Files\uTorrent\uTorrent .exe:*:Enabled:µTorrent -- ()
"C:\Program Files\uTorrent\uTorrent .exe" = C:\Program Files\uTorrent\uTorrent .exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.7
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318E8A2-4381-468C-BCDB-934488B6EDD3}_is1" = World of Kungfu Europe
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2447500B-22D7-47BD-9B13-1A927F43A267}" = Empire Earth
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 20
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}" = Sid Meier's Civilization 4 Complete
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = TIPCI
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{79AF9A9A-2BF8-4FD6-B386-72F5FFAE5636}" = HTC Sync
"{7A512A34-F4E8-43C4-BD80-43A022B31BF6}" = MapleStory
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7D424893-C52F-4A69-BCA5-C84845F9864D}" = mSpot
"{7EE9145D-C430-44E6-B5ED-61FF9C332100}_is1" = Battle of the Immortals
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{93CF9FA6-2A5E-4F8E-923E-F7D8741CB312}" = BabasChess
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B49C924C-A651-4378-94F6-5D9BF44A959F}" = Empire Earth - The Art of Conquest
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3234E43-10BF-470E-BD2B-2E36EA29D11C}" = League of Legends
"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = SD Secure Module
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFA05440-A429-4A60-84C9-16919C12876F}_is1" = Cabal Online 8.6.30.1
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EF36A836-BF89-4A4F-B079-057B0C68C1E0}" = Sid Meier's Civilization IV Colonization
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"BitComet" = BitComet 1.22
"BitTorrent" = BitTorrent
"Combat Arms" = Combat Arms
"Fraps" = Fraps (remove only)
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.1
"Game Booster_is1" = Game Booster
"InstallShield_{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapleStory" = MapleStory
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"OPERATION7" = OPERATION7
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"ProInst" = Intel® PROSet/Wireless Software
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"uTorrent" = µTorrent
"VLC media player" = VLC media player 0.9.8a
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World Of Kung Fu client" = World Of Kung Fu client 1.0.62
"Xfire" = Xfire (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/18/2010 08:40:23 PM | Computer Name = MORIS-829EBC444 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 2/19/2010 01:11:01 AM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00040006.

Error - 2/20/2010 03:27:02 PM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application gongfuclient.exe, version 0.0.0.1, faulting module
uwolosac.dll, version 0.0.0.0, fault address 0x0001ed0b.

Error - 2/20/2010 04:52:47 PM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application gongfuclient.exe, version 0.0.0.1, faulting module
uwolosac.dll, version 0.0.0.0, fault address 0x0001ed0b.

Error - 2/21/2010 11:02:22 PM | Computer Name = MORIS-829EBC444 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 2/27/2010 12:17:02 PM | Computer Name = MORIS-829EBC444 | Source = Microsoft Office 11 | ID = 2001
Description =

Error - 3/1/2010 01:26:23 AM | Computer Name = MORIS-829EBC444 | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/2/2010 06:29:29 PM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application gongfuclient.exe, version 0.0.0.1, faulting module
uwolosac.dll, version 0.0.0.0, fault address 0x0001ed0b.

Error - 3/3/2010 07:45:14 PM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application gongfuclient.exe, version 0.0.0.1, faulting module
uwolosac.dll, version 0.0.0.0, fault address 0x0001ed0b.

Error - 3/12/2010 09:24:33 PM | Computer Name = MORIS-829EBC444 | Source = Application Error | ID = 1000
Description = Faulting application gongfuclient.exe, version 0.0.0.1, faulting module
uwolosac.dll, version 0.0.0.0, fault address 0x0001ed0b.

[ System Events ]
Error - 8/18/2010 03:45:20 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 8/18/2010 10:06:20 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/18/2010 10:06:20 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 8/18/2010 10:29:26 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/18/2010 10:29:26 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 8/18/2010 11:17:03 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/18/2010 11:17:03 PM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 8/19/2010 12:10:05 AM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/19/2010 12:10:05 AM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 8/19/2010 12:10:05 AM | Computer Name = MORIS-829EBC444 | Source = Service Control Manager | ID = 7000
Description = The Secdrv service failed to start due to the following error: %%2


< End of report >



__________________________________________________________________________________



GMER




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-19 13:59:17
Windows 5.1.2600 Service Pack 2
Running: w9vij7cc.exe; Driver: C:\DOCUME~1\MORIS\LOCALS~1\Temp\uwlyqaod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 20 August 2010 - 04:07 AM

Hi, you had a nasty rootkit on board, which was cleaned by combofix, however first read the following info.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please redownload and rerun Combofix and post me the new log, since it is still showing quite some problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 moris

moris
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 20 August 2010 - 12:47 PM

ComboFix 10-08-19.02 - MORIS 08/20/2010 10:24:47.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1025 [GMT -7:00]
Running from: c:\documents and settings\MORIS\My Documents\Downloads\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\5R6uLSM2.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
c:\program files\mSpot\mSpot\mSpot.exe
c:\program files\uTorrent\uTorrent .exe
c:\program files\uTorrent\uTorrent.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job

CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe --->c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher .exe --->c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
c:\program files\mSpot\mSpot\mSpot .exe --->c:\program files\mSpot\mSpot\mSpot.exe
c:\program files\uTorrent\uTorrent  .exe --->c:\program files\uTorrent\uTorrent.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-17 08:48 . 2010-08-18 05:56 -------- d-----w- c:\program files\Runes of Magic
2010-08-17 06:28 . 2010-08-17 06:40 -------- d-----w- C:\Runes_of_Magic_3.0.1.2153
2010-08-15 18:18 . 2010-08-15 18:18 -------- d-----w- c:\program files\directx
2010-08-15 18:13 . 2010-08-15 18:21 -------- d-----w- C:\Sierra
2010-08-14 22:58 . 2010-08-14 22:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-09 02:45 . 2010-08-17 08:29 -------- d-----w- c:\documents and settings\MORIS\Application Data\vlc
2010-08-04 06:02 . 2010-08-04 06:02 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\mSpot
2010-08-04 06:02 . 2010-08-04 06:02 -------- d-----w- c:\program files\mSpot
2010-08-04 00:46 . 2010-08-04 00:46 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2010-08-03 22:28 . 2010-08-03 22:28 -------- d-----w- c:\program files\YouTube Downloader
2010-07-31 21:25 . 2007-11-27 10:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-31 21:20 . 2010-07-31 21:27 -------- d-----w- c:\documents and settings\MORIS\Application Data\Teleca
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\HTC
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-07-31 21:19 . 2009-06-10 07:49 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-07-31 21:19 . 2009-06-09 21:41 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-31 21:19 . 2010-07-31 21:19 -------- d-----w- c:\program files\Spirent Communications
2010-07-31 21:19 . 2010-07-31 21:20 -------- d-----w- c:\program files\HTC
2010-07-31 21:18 . 2010-07-31 21:18 -------- d-----w- c:\windows\Downloaded Installations
2010-07-31 20:59 . 2004-08-04 06:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-07-31 20:59 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-29 22:52 . 2010-07-29 23:03 -------- d-----w- c:\program files\LimeWire
2010-07-28 20:19 . 2010-07-28 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-07-27 22:37 . 2010-07-27 22:37 -------- d-----w- C:\Nexon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-20 17:32 . 2010-05-30 02:27 -------- d-----w- c:\program files\uTorrent
2010-08-20 17:16 . 2010-04-24 09:16 112 ----a-w- c:\documents and settings\All Users\Application Data\5flf5gf2l.dat
2010-08-19 21:09 . 2010-05-30 02:27 -------- d-----w- c:\documents and settings\MORIS\Application Data\uTorrent
2010-08-19 21:09 . 2009-11-05 03:17 -------- d-----w- c:\documents and settings\MORIS\Application Data\Xfire
2010-08-19 02:29 . 2009-11-04 06:16 47024 ----a-w- c:\documents and settings\MORIS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-17 05:32 . 2010-04-07 04:39 -------- d-----w- c:\documents and settings\MORIS\Application Data\GetRightToGo
2010-08-17 04:16 . 2010-04-05 15:36 -------- d-----w- c:\program files\World of Kungfu Europe
2010-08-16 23:53 . 2010-04-25 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-16 23:50 . 2010-06-11 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-16 23:49 . 2010-06-11 01:49 -------- d-----w- c:\program files\DivX
2010-08-16 20:54 . 2010-06-11 01:52 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-08-15 18:21 . 2009-11-04 06:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 22:49 . 2010-02-03 23:35 -------- d-----w- c:\documents and settings\MORIS\Application Data\dvdcss
2010-08-03 22:19 . 2010-07-14 04:42 -------- d-----w- c:\documents and settings\MORIS\Application Data\BitComet
2010-08-03 22:03 . 2010-05-30 02:01 -------- d-----w- c:\documents and settings\MORIS\Application Data\BitTorrent
2010-07-31 21:27 . 2009-11-05 03:17 -------- d-----w- c:\program files\Xfire
2010-07-31 21:25 . 2010-07-31 21:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-07-31 21:25 . 2010-07-31 21:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-07-28 20:19 . 2010-05-21 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-07-28 05:53 . 2010-06-15 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-07-27 22:37 . 2010-05-21 03:04 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-07-27 22:37 . 2010-05-21 03:04 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-07-27 22:37 . 2010-05-21 03:04 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-07-27 22:37 . 2010-05-21 03:04 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-07-27 22:37 . 2010-05-21 03:04 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-07-27 22:37 . 2010-05-21 03:04 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-07-14 21:53 . 2010-07-14 21:53 -------- d-----w- c:\program files\2K Games
2010-07-14 21:51 . 2010-07-14 21:51 -------- d-----w- c:\documents and settings\MORIS\Application Data\InstallShield
2010-07-14 04:51 . 2010-07-14 04:51 -------- d-----w- c:\program files\BitTorrent
2010-07-14 04:42 . 2010-07-14 04:42 -------- d-----w- c:\program files\BitComet
2010-07-14 04:42 . 2010-07-14 04:42 1440768 ----a-w- c:\documents and settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-07 20:30 . 2010-07-07 20:30 61440 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ae0fec-n\decora-sse.dll
2010-07-07 20:30 . 2010-07-07 20:30 503808 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-30cf96d2-n\msvcp71.dll
2010-07-07 20:30 . 2010-07-07 20:30 12800 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-79ae0fec-n\decora-d3d.dll
2010-07-07 20:30 . 2010-07-07 20:30 499712 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-30cf96d2-n\jmc.dll
2010-07-07 20:30 . 2010-07-07 20:30 348160 ----a-w- c:\documents and settings\MORIS\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-30cf96d2-n\msvcr71.dll
2010-07-07 18:20 . 2010-04-29 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 22:59 . 2010-06-09 22:59 134144 ----a-w- c:\windows\~GLC0001.TMP
2010-06-09 22:59 . 2010-06-09 22:59 134144 ----a-w- c:\windows\~GLC0000.TMP
2010-04-23 05:14 . 2010-04-23 05:13 1077248 --sha-w- c:\windows\system32\1470.tmp
2010-05-01 22:08 . 2010-05-01 18:11 3879712 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-01 22:08 . 2010-05-01 18:11 19488 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.
CODE
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"uTorrent"="c:\program files\uTorrent\uTorrent .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NDSTray.exe"="NDSTray.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-04-25 37388]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"mSpot"="c:\program files\mSpot\mSpot\mSpot.exe" [2010-07-28 947584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

c:\documents and settings\MORIS\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-11-3 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57768:TCP"= 57768:TCP:Pando Media Booster
"57768:UDP"= 57768:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"7845:TCP"= 7845:TCP:BitComet 7845 TCP
"7845:UDP"= 7845:UDP:BitComet 7845 UDP

R2 k;k;c:\windows\system32\o.sys [4/23/2010 03:08 PM 4736]
S0 gxojs;gxojs; [x]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [7/31/2010 02:19 PM 24576]
S3 SVRPEDRV;SVRPEDRV;\??\d:\bin\PEDrv.sys --> d:\bin\PEDrv.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-07 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WinLiveSuite_Wave3 - c:\program files\Windows Live\Installer\wlarp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-08-20 10:35:37
ComboFix-quarantined-files.txt 2010-08-20 17:35

Pre-Run: 69,477,982,208 bytes free
Post-Run: 69,569,658,880 bytes free

- - End Of File - - C99B279E02B7599FEFBD3DE73FB9A292


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 20 August 2010 - 01:25 PM

Hi, still some vundo to fix. Please let me know how things are running afterwards.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
AtJob::

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\ltmoh\Ltmoh .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV .exe
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 moris

moris
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 21 August 2010 - 12:45 PM

Ok well right now i havent had a problem with it, but before i dragged CFscript into combo fix i had 35 processes running now i have 44.
Also for some odd reason everytime i run combofix it says that spyware doctor antivirus is running in the background and i got rid of spyware doctor a long time ago. So far iexplorer hasnt been comming up and asking would you like to make IE your main browser(i use chrome)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 21 August 2010 - 01:31 PM

Please post the log combofix created. Don't worry about Spywaredoctor, thats most likely a leftover.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 moris

moris
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 22 August 2010 - 06:54 PM

ComboFix 10-08-22.03 - MORIS 08/22/2010 16:28:50.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1025 [GMT -7:00]
Running from: c:\documents and settings\MORIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MORIS\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\MORIS\Favorites\OnlineVideoConverter.com Convert & Download YouTube videos....url

.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-21 19:55 . 2010-08-21 19:57 -------- d-----w- c:\documents and settings\MORIS\Application Data\Ventrilo
2010-08-21 19:51 . 2010-08-21 19:51 -------- d-----w- c:\program files\Ventrilo
2010-08-17 08:48 . 2010-08-18 05:56 -------- d-----w- c:\program files\Runes of Magic
2010-08-17 06:28 . 2010-08-17 06:40 -------- d-----w- C:\Runes_of_Magic_3.0.1.2153
2010-08-15 18:18 . 2010-08-15 18:18 -------- d-----w- c:\program files\directx
2010-08-15 18:13 . 2010-08-15 18:21 -------- d-----w- C:\Sierra
2010-08-14 22:58 . 2010-08-14 22:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-09 02:45 . 2010-08-17 08:29 -------- d-----w- c:\documents and settings\MORIS\Application Data\vlc
2010-08-04 06:02 . 2010-08-04 06:02 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\mSpot
2010-08-04 06:02 . 2010-08-04 06:02 -------- d-----w- c:\program files\mSpot
2010-08-04 00:46 . 2010-08-04 00:46 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2010-08-03 22:28 . 2010-08-03 22:28 -------- d-----w- c:\program files\YouTube Downloader
2010-07-31 21:25 . 2007-11-27 10:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-07-31 21:20 . 2010-07-31 21:27 -------- d-----w- c:\documents and settings\MORIS\Application Data\Teleca
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\MORIS\Local Settings\Application Data\HTC
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-07-31 21:20 . 2010-07-31 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-07-31 21:19 . 2009-06-10 07:49 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-07-31 21:19 . 2009-06-09 21:41 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-31 21:19 . 2010-07-31 21:19 -------- d-----w- c:\program files\Spirent Communications
2010-07-31 21:19 . 2010-07-31 21:20 -------- d-----w- c:\program files\HTC
2010-07-31 21:18 . 2010-07-31 21:18 -------- d-----w- c:\windows\Downloaded Installations
2010-07-31 20:59 . 2004-08-04 06:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-07-31 20:59 . 2004-08-04 06:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-29 22:52 . 2010-07-29 23:03 -------- d-----w- c:\program files\LimeWire
2010-07-28 20:19 . 2010-07-28 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2010-07-27 22:37 . 2010-07-27 22:37 -------- d-----w- C:\Nexon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 19:51 . 2010-05-02 01:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-21 17:38 . 2009-11-05 03:17 -------- d-----w- c:\documents and settings\MORIS\Application Data\Xfire
2010-08-21 16:52 . 2009-11-04 06:32 -------- d-----w- c:\program files\ltmoh
2010-08-20 17:32 . 2010-05-30 02:27 -------- d-----w- c:\program files\uTorrent
2010-08-20 17:16 . 2010-04-24 09:16 112 ----a-w- c:\documents and settings\All Users\Application Data\5flf5gf2l.dat
2010-08-19 21:09 . 2010-05-30 02:27 -------- d-----w- c:\documents and settings\MORIS\Application Data\uTorrent
2010-08-19 02:29 . 2009-11-04 06:16 47024 ----a-w- c:\documents and settings\MORIS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-17 05:32 . 2010-04-07 04:39 -------- d-----w- c:\documents and settings\MORIS\Application Data\GetRightToGo
2010-08-17 04:16 . 2010-04-05 15:36 -------- d-----w- c:\program files\World of Kungfu Europe
2010-08-16 23:53 . 2010-04-25 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-08-16 23:50 . 2010-06-11 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-08-16 23:49 . 2010-06-11 01:49 -------- d-----w- c:\program files\DivX
2010-08-15 18:21 . 2009-11-04 06:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-03 22:49 . 2010-02-03 23:35 -------- d-----w- c:\documents and settings\MORIS\Application Data\dvdcss
2010-08-03 22:19 . 2010-07-14 04:42 -------- d-----w- c:\documents and settings\MORIS\Application Data\BitComet
2010-08-03 22:03 . 2010-05-30 02:01 -------- d-----w- c:\documents and settings\MORIS\Application Data\BitTorrent
2010-07-31 21:27 . 2009-11-05 03:17 -------- d-----w- c:\program files\Xfire
2010-07-31 21:25 . 2010-07-31 21:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-07-31 21:25 . 2010-07-31 21:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-07-28 20:19 . 2010-05-21 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-07-28 05:53 . 2010-06-15 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-07-14 21:53 . 2010-07-14 21:53 -------- d-----w- c:\program files\2K Games
2010-07-14 21:51 . 2010-07-14 21:51 -------- d-----w- c:\documents and settings\MORIS\Application Data\InstallShield
2010-07-14 04:51 . 2010-07-14 04:51 -------- d-----w- c:\program files\BitTorrent
2010-07-14 04:42 . 2010-07-14 04:42 -------- d-----w- c:\program files\BitComet
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-07 18:20 . 2010-04-29 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 22:59 . 2010-06-09 22:59 134144 ----a-w- c:\windows\~GLC0001.TMP
2010-06-09 22:59 . 2010-06-09 22:59 134144 ----a-w- c:\windows\~GLC0000.TMP
2010-04-23 05:14 . 2010-04-23 05:13 1077248 --sha-w- c:\windows\system32\1470.tmp
2010-05-01 22:08 . 2010-05-01 18:11 3879712 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-01 22:08 . 2010-05-01 18:11 19488 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.
CODE
<pre>
c:\program files\Spybot - Search & Destroy\TeaTimer .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-08-20_17.33.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-22 23:44 . 2010-08-22 23:44 16384 c:\windows\temp\Perflib_Perfdata_138.dat
+ 2010-08-21 19:51 . 2010-08-21 19:51 683520 c:\windows\Installer\856d0e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]
"uTorrent"="c:\program files\uTorrent\uTorrent .exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"NDSTray.exe"="NDSTray.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-20 598016]
"mSpot"="c:\program files\mSpot\mSpot\mSpot.exe" [2010-07-28 947584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

c:\documents and settings\MORIS\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-11-3 155648]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57768:TCP"= 57768:TCP:Pando Media Booster
"57768:UDP"= 57768:UDP:Pando Media Booster
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"7845:TCP"= 7845:TCP:BitComet 7845 TCP
"7845:UDP"= 7845:UDP:BitComet 7845 UDP

R2 k;k;c:\windows\system32\o.sys [4/23/2010 03:08 PM 4736]
S0 gxojs;gxojs; [x]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [7/31/2010 02:19 PM 24576]
S3 SVRPEDRV;SVRPEDRV;\??\d:\bin\PEDrv.sys --> d:\bin\PEDrv.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-07 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 16:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\MORIS\LOCALS~1\Temp\mspD.tmp 1277213 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2224)
c:\program files\Xfire\xfire_toucan_43094.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
.
**************************************************************************
.
Completion time: 2010-08-22 16:52:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 23:52
ComboFix2.txt 2010-08-21 17:35
ComboFix3.txt 2010-08-20 17:35

Pre-Run: 69,494,231,040 bytes free
Post-Run: 69,468,180,480 bytes free

- - End Of File - - 3F98CF3761FB5D6F5D6C4ECDA7592174


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 23 August 2010 - 04:10 AM

Hi, can you please completely uninstall spybot, reboot your computer and then manually delete the following folder: c:\program files\Spybot - Search & Destroy, if you use it, you can reinstall it after you delete the folder successfullyl One of its files is infected with Vundo and will not be fixed unless uninstalled.

Can you now please post me a new OTL log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 moris

moris
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 25 August 2010 - 12:52 AM

OTL logfile created on: 8/24/2010 10:47:34 PM - Run 2
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\MORIS\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 25.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 64.74 Gb Free Space | 43.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MORIS-829EBC444
Current User Name: MORIS
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/19 10:07:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MORIS\Desktop\OTL.exe
PRC - [2010/05/18 13:23:54 | 000,389,120 | R--- | M] (Teleca) -- C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
PRC - [2010/03/17 16:22:52 | 001,019,904 | R--- | M] (Teleca Sweden AB) -- C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
PRC - [2010/03/17 16:08:22 | 000,253,952 | R--- | M] (TODO: <Company name>) -- C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
PRC - [2010/03/17 16:08:04 | 000,462,848 | R--- | M] (Teleca AB) -- C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
PRC - [2009/12/11 15:50:34 | 000,557,056 | R--- | M] (Teleca AB) -- C:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2009/06/03 10:25:16 | 000,106,496 | R--- | M] (Popwire AB) -- C:\Program Files\Common Files\Teleca Shared\logger.exe
PRC - [2009/04/14 13:14:26 | 000,139,264 | ---- | M] (Teleca Sweden AB) -- C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
PRC - [2007/09/19 21:48:51 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/11/28 12:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 12:29:00 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 12:28:14 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/02 17:41:04 | 000,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/10/06 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/08/28 01:37:00 | 000,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2010/08/19 10:07:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MORIS\Desktop\OTL.exe
MOD - [2007/09/19 21:35:28 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/03 15:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\msapps\comsrvr.exe -- (COMServer)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/11/28 12:31:32 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2005/11/28 12:29:00 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2005/11/28 12:28:14 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva309.sys -- (XDva309)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\BIN\PEDrv.sys -- (SVRPEDRV)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Nexon\MapleStory\npkcrypt.sys -- (npkcrypt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/04/23 15:08:25 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2007/09/19 21:33:16 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/12/16 17:15:06 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/09 17:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/05 02:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/11/28 13:09:26 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/11/15 10:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/10/20 15:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/10/06 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/10/06 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/10/06 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/10/06 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/10/06 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/10/06 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/10/06 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/24 16:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/06/02 04:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]

IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 41 AE ED 05 79 2A 70 49 B7 CC 8D 45 FB 97 8F F5 [binary data]
IE - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://google.atcomet.com/b/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.21


[2009/11/06 19:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Extensions
[2009/11/04 21:57:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/11/05 19:50:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\extensions
[2009/11/05 19:50:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/07/23 02:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions
[2010/06/13 16:01:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/13 21:42:20 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\MORIS\Application Data\Mozilla\Firefox\Profiles\nnnowunp.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2010/02/21 03:22:32 | 000,712,704 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2009/11/09 18:30:56 | 000,189,592 | ---- | M] (MGame) -- C:\Program Files\Mozilla Firefox\plugins\NPMFireLauncher.dll

O1 HOSTS File: ([2010/08/22 16:44:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.6.22.dll (BitComet)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
O3 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [CFSServ.exe] File not found
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Mobile Connectivity Suite] C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe (Teleca Sweden AB)
O4 - HKLM..\Run: [mSpot] C:\Program Files\mSpot\mSpot\mSpot.exe (mSpot)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [Google Update] C:\Documents and Settings\MORIS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr .exe File not found
O4 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent .exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\MORIS\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1229272821-1383384898-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.6.22.dll (BitComet)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} http://www.netgame.com/mplugin/mglaunch_USAv1005.cab (MGLaunch_v1004 Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.128.12
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/03 22:45:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/23 14:33:59 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/21 12:55:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Application Data\Ventrilo
[2010/08/21 12:51:23 | 000,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2010/08/20 10:22:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/20 10:22:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/20 10:22:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/20 10:22:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/20 10:22:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/19 10:07:31 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MORIS\Desktop\OTL.exe
[2010/08/17 14:31:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MORIS\My Documents\Runes of Magic
[2010/08/17 01:48:28 | 000,000,000 | ---D | C] -- C:\Program Files\Runes of Magic
[2010/08/16 23:28:28 | 000,000,000 | ---D | C] -- C:\Runes_of_Magic_3.0.1.2153
[2010/08/15 11:18:09 | 000,000,000 | ---D | C] -- C:\Program Files\directx
[2010/08/15 11:13:58 | 000,000,000 | ---D | C] -- C:\Sierra
[2010/08/14 15:58:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/08/08 19:45:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Application Data\vlc
[2010/08/04 05:35:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Desktop\Defcon
[2010/08/03 23:02:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Local Settings\Application Data\mSpot
[2010/08/03 23:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\mSpot
[2010/08/03 17:46:29 | 000,000,000 | ---D | C] -- C:\Program Files\Free M4a to MP3 Converter
[2010/08/03 15:28:06 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/07/31 14:25:25 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/07/31 14:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Application Data\Teleca
[2010/07/31 14:20:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Local Settings\Application Data\HTC
[2010/07/31 14:20:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HTC
[2010/07/31 14:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Teleca Shared
[2010/07/31 14:20:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2010/07/31 14:19:42 | 001,122,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WdfCoInstaller01007.dll
[2010/07/31 14:19:42 | 000,024,576 | ---- | C] (HTC, Corporation) -- C:\WINDOWS\System32\drivers\ANDROIDUSB.sys
[2010/07/31 14:19:38 | 000,000,000 | ---D | C] -- C:\Program Files\Spirent Communications
[2010/07/31 14:19:33 | 000,000,000 | ---D | C] -- C:\Program Files\HTC
[2010/07/31 14:18:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/07/31 13:59:41 | 000,031,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/07/29 16:26:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\Desktop\Downloads
[2010/07/29 15:54:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MORIS\My Documents\LimeWire
[2010/07/29 15:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/07/28 13:19:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nexon
[2010/07/27 15:37:17 | 000,000,000 | ---D | C] -- C:\Nexon
[2009/11/03 23:34:41 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/24 01:53:13 | 003,494,010 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\flexiblepositions_britneyamber_003.mpg
[2010/08/23 14:33:45 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\MORIS\NTUSER.DAT
[2010/08/22 16:45:00 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/22 16:44:39 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/08/22 16:44:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/22 16:44:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/22 16:44:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/22 16:44:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/22 16:43:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\MORIS\ntuser.ini
[2010/08/22 16:24:01 | 003,825,596 | R--- | M] () -- C:\Documents and Settings\MORIS\Desktop\ComboFix.exe
[2010/08/21 12:51:27 | 000,000,262 | ---- | M] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/08/21 12:51:25 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2010/08/21 09:43:46 | 000,158,208 | ---- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/20 10:16:39 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\5flf5gf2l.dat
[2010/08/19 10:07:34 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MORIS\Desktop\OTL.exe
[2010/08/18 21:11:36 | 000,000,279 | ---- | M] () -- C:\Shortcut to Local Disk ©.lnk
[2010/08/18 19:31:06 | 000,000,314 | RHS- | M] () -- C:\boot.ini
[2010/08/18 19:29:45 | 000,047,024 | ---- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/18 19:29:21 | 000,214,472 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/17 02:21:25 | 000,001,614 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Runes of Magic.lnk
[2010/08/16 23:10:31 | 000,000,869 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Battle of the Immortals.lnk
[2010/08/15 21:01:10 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\h.doc
[2010/08/15 11:25:47 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth - The Art of Conquest.lnk
[2010/08/15 11:21:46 | 000,000,515 | ---- | M] () -- C:\WINDOWS\SIERRA.INI
[2010/08/15 11:17:42 | 000,001,531 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth.lnk
[2010/08/14 18:31:41 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\MORIS R. V. resume.doc
[2010/08/14 16:15:45 | 004,317,540 | -H-- | M] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\IconCache.db
[2010/08/14 15:59:37 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/08 19:21:58 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/08/03 17:46:30 | 000,000,758 | ---- | M] () -- C:\Documents and Settings\MORIS\Application Data\Microsoft\Internet Explorer\Quick Launch\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Free M4a to MP3 Converter.lnk
[2010/08/03 15:28:08 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\YouTube Downloader.lnk
[2010/08/02 14:22:05 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\U.P. Letter.doc
[2010/08/01 23:42:53 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\MORIS\My Documents\26.doc
[2010/07/31 14:25:31 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
[2010/07/31 14:25:30 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/28 00:32:37 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\OPERATION7.lnk
[2010/07/27 22:08:02 | 001,976,296 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\Operation7Downloader-20100325.exe
[2010/07/27 20:15:18 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\MORIS\Desktop\w9vij7cc.exe
[2010/07/27 15:42:31 | 000,001,497 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Combat Arms.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 01:53:10 | 003,494,010 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\flexiblepositions_britneyamber_003.mpg
[2010/08/21 12:51:25 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2010/08/21 12:51:14 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/08/21 09:48:39 | 003,825,596 | R--- | C] () -- C:\Documents and Settings\MORIS\Desktop\ComboFix.exe
[2010/08/20 10:22:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/20 10:22:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/20 10:22:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/18 21:11:36 | 000,000,279 | ---- | C] () -- C:\Shortcut to Local Disk ©.lnk
[2010/08/17 02:21:25 | 000,001,614 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\Runes of Magic.lnk
[2010/08/15 21:01:09 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\h.doc
[2010/08/15 11:25:47 | 000,001,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth - The Art of Conquest.lnk
[2010/08/15 11:17:42 | 000,001,531 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Empire Earth.lnk
[2010/08/15 11:14:03 | 000,000,515 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/08/14 15:59:37 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/03 17:46:30 | 000,000,758 | ---- | C] () -- C:\Documents and Settings\MORIS\Application Data\Microsoft\Internet Explorer\Quick Launch\Free M4a to MP3 Converter.lnk
[2010/08/03 17:46:30 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\Free M4a to MP3 Converter.lnk
[2010/08/03 15:28:08 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\YouTube Downloader.lnk
[2010/08/02 14:18:48 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\U.P. Letter.doc
[2010/08/01 23:42:53 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\26.doc
[2010/08/01 15:50:43 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\MORIS\My Documents\MORIS R. V. resume.doc
[2010/07/31 14:25:31 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
[2010/07/31 14:25:30 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2010/07/27 23:29:35 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\OPERATION7.lnk
[2010/07/27 22:08:02 | 001,976,296 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\Operation7Downloader-20100325.exe
[2010/07/27 20:15:16 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\MORIS\Desktop\w9vij7cc.exe
[2010/07/27 15:42:31 | 000,001,497 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Combat Arms.lnk
[2010/07/09 12:04:40 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/05/12 17:04:22 | 000,000,248 | ---- | C] () -- C:\WINDOWS\RomeTW.ini
[2010/05/01 14:05:37 | 002,077,183 | ---- | C] () -- C:\WINDOWS\System32\nievdob.dll
[2010/05/01 14:05:22 | 003,129,979 | ---- | C] () -- C:\WINDOWS\System32\errfocodo.dll
[2010/05/01 14:05:08 | 003,269,504 | ---- | C] () -- C:\WINDOWS\System32\ebxwishedll.dll
[2010/05/01 14:05:02 | 003,035,270 | ---- | C] () -- C:\WINDOWS\System32\wiaetco.dll
[2010/05/01 14:04:05 | 002,432,548 | ---- | C] () -- C:\WINDOWS\System32\asdlloror.dll
[2010/05/01 14:03:49 | 003,191,430 | ---- | C] () -- C:\WINDOWS\System32\jmfoanddll.dll
[2010/05/01 14:03:42 | 003,244,958 | ---- | C] () -- C:\WINDOWS\System32\andjmpocra.dll
[2010/05/01 14:02:39 | 003,114,449 | ---- | C] () -- C:\WINDOWS\System32\je32doto.dll
[2010/05/01 14:02:29 | 003,354,063 | ---- | C] () -- C:\WINDOWS\System32\32dllandshe.dll
[2010/05/01 14:02:14 | 003,382,512 | ---- | C] () -- C:\WINDOWS\System32\apierrexlo.dll
[2010/05/01 14:01:59 | 002,423,771 | ---- | C] () -- C:\WINDOWS\System32\etyuplin.dll
[2010/05/01 14:01:53 | 002,828,911 | ---- | C] () -- C:\WINDOWS\System32\beevgi.dll
[2010/05/01 12:13:32 | 002,048,179 | ---- | C] () -- C:\WINDOWS\System32\glinara.dll
[2010/05/01 12:13:15 | 002,622,065 | ---- | C] () -- C:\WINDOWS\System32\gietloje.dll
[2010/05/01 12:12:59 | 003,046,302 | ---- | C] () -- C:\WINDOWS\System32\asuarandet.dll
[2010/05/01 12:12:53 | 002,682,608 | ---- | C] () -- C:\WINDOWS\System32\yetpoet.dll
[2010/05/01 12:11:56 | 002,619,718 | ---- | C] () -- C:\WINDOWS\System32\yeripdo.dll
[2010/05/01 12:11:39 | 003,387,085 | ---- | C] () -- C:\WINDOWS\System32\ebxapiebxup.dll
[2010/05/01 12:11:33 | 002,808,086 | ---- | C] () -- C:\WINDOWS\System32\sheupapifo.dll
[2010/05/01 12:10:29 | 002,906,749 | ---- | C] () -- C:\WINDOWS\System32\yjmglin.dll
[2010/05/01 12:10:23 | 002,822,163 | ---- | C] () -- C:\WINDOWS\System32\loexgex.dll
[2010/05/01 12:09:45 | 002,440,729 | ---- | C] () -- C:\WINDOWS\System32\alohcra.dll
[2010/05/01 12:09:10 | 003,575,330 | ---- | C] () -- C:\WINDOWS\System32\arpoaslo.dll
[2010/05/01 12:08:35 | 002,548,745 | ---- | C] () -- C:\WINDOWS\System32\polodll32.dll
[2010/05/01 12:08:01 | 002,324,354 | ---- | C] () -- C:\WINDOWS\System32\ebxpohasu.dll
[2010/05/01 12:07:31 | 002,117,475 | ---- | C] () -- C:\WINDOWS\System32\wiparex.dll
[2010/05/01 12:06:57 | 002,908,947 | ---- | C] () -- C:\WINDOWS\System32\asuaretlin.dll
[2010/05/01 12:06:22 | 002,851,171 | ---- | C] () -- C:\WINDOWS\System32\foarebxerr.dll
[2010/05/01 12:06:06 | 003,231,404 | ---- | C] () -- C:\WINDOWS\System32\erryuplin.dll
[2010/05/01 12:05:50 | 002,446,297 | ---- | C] () -- C:\WINDOWS\System32\asorjear.dll
[2010/05/01 12:05:43 | 002,674,923 | ---- | C] () -- C:\WINDOWS\System32\dolinto32.dll
[2010/05/01 12:04:40 | 002,123,921 | ---- | C] () -- C:\WINDOWS\System32\edllara.dll
[2010/05/01 12:04:34 | 003,368,411 | ---- | C] () -- C:\WINDOWS\System32\jesaras.dll
[2010/05/01 12:03:34 | 002,490,330 | ---- | C] () -- C:\WINDOWS\System32\exexgand.dll
[2010/05/01 12:03:17 | 003,017,160 | ---- | C] () -- C:\WINDOWS\System32\fo32win32.dll
[2010/05/01 12:03:01 | 002,575,182 | ---- | C] () -- C:\WINDOWS\System32\ardllgiasu.dll
[2010/05/01 12:02:54 | 002,405,141 | ---- | C] () -- C:\WINDOWS\System32\arcoyrip.dll
[2010/05/01 12:01:58 | 002,809,627 | ---- | C] () -- C:\WINDOWS\System32\ripandand32.dll
[2010/05/01 12:01:35 | 002,374,122 | ---- | C] () -- C:\WINDOWS\System32\crapapis.dll
[2010/05/01 12:01:20 | 002,540,685 | ---- | C] () -- C:\WINDOWS\System32\storipex.dll
[2010/05/01 12:01:05 | 002,735,749 | ---- | C] () -- C:\WINDOWS\System32\wgijmh.dll
[2010/05/01 12:00:50 | 002,949,195 | ---- | C] () -- C:\WINDOWS\System32\wlinya.dll
[2010/05/01 12:00:36 | 002,128,396 | ---- | C] () -- C:\WINDOWS\System32\lohto32.dll
[2010/05/01 12:00:21 | 003,078,598 | ---- | C] () -- C:\WINDOWS\System32\fodlllinto.dll
[2010/05/01 11:34:11 | 002,777,208 | ---- | C] () -- C:\WINDOWS\System32\foevapiet.dll
[2010/05/01 11:33:57 | 003,101,731 | ---- | C] () -- C:\WINDOWS\System32\fofoto32.dll
[2010/05/01 11:33:42 | 002,972,048 | ---- | C] () -- C:\WINDOWS\System32\logdlla.dll
[2010/05/01 11:33:32 | 002,757,456 | ---- | C] () -- C:\WINDOWS\System32\erretoy.dll
[2010/05/01 11:33:17 | 002,224,248 | ---- | C] () -- C:\WINDOWS\System32\wicoara.dll
[2010/05/01 11:33:03 | 002,261,180 | ---- | C] () -- C:\WINDOWS\System32\coandpfo.dll
[2010/05/01 11:32:48 | 003,202,899 | ---- | C] () -- C:\WINDOWS\System32\or32ebxe.dll
[2010/05/01 11:32:34 | 003,397,963 | ---- | C] () -- C:\WINDOWS\System32\hbhco.dll
[2010/05/01 11:32:27 | 002,546,704 | ---- | C] () -- C:\WINDOWS\System32\dllararpo.dll
[2010/05/01 11:31:31 | 002,496,984 | ---- | C] () -- C:\WINDOWS\System32\linexapito.dll
[2010/05/01 11:31:17 | 002,774,452 | ---- | C] () -- C:\WINDOWS\System32\loaupp.dll
[2010/05/01 11:31:06 | 002,736,375 | ---- | C] () -- C:\WINDOWS\System32\asetlocra.dll
[2010/05/01 11:30:52 | 002,643,848 | ---- | C] () -- C:\WINDOWS\System32\sacoor.dll
[2010/05/01 11:30:41 | 002,716,848 | ---- | C] () -- C:\WINDOWS\System32\ripebxcraet.dll
[2010/05/01 11:30:27 | 002,437,516 | ---- | C] () -- C:\WINDOWS\System32\bwinpoebx.dll
[2010/05/01 11:30:16 | 003,011,776 | ---- | C] () -- C:\WINDOWS\System32\niexarg.dll
[2010/05/01 11:30:05 | 002,274,099 | ---- | C] () -- C:\WINDOWS\System32\coriporwin.dll
[2010/05/01 11:29:55 | 002,244,505 | ---- | C] () -- C:\WINDOWS\System32\anddlldow.dll
[2010/05/01 11:29:44 | 002,428,581 | ---- | C] () -- C:\WINDOWS\System32\shefoarh.dll
[2010/05/01 11:29:38 | 003,395,379 | ---- | C] () -- C:\WINDOWS\System32\winjmcrarip.dll
[2010/05/01 11:28:36 | 003,284,888 | ---- | C] () -- C:\WINDOWS\System32\oryloe.dll
[2010/05/01 11:28:20 | 002,491,126 | ---- | C] () -- C:\WINDOWS\System32\exarerras.dll
[2010/05/01 11:28:06 | 003,599,460 | ---- | C] () -- C:\WINDOWS\System32\arbgipo.dll
[2010/05/01 11:27:50 | 002,805,698 | ---- | C] () -- C:\WINDOWS\System32\ygfoshe.dll
[2010/05/01 11:27:40 | 002,646,645 | ---- | C] () -- C:\WINDOWS\System32\wfoasar.dll
[2010/05/01 11:27:25 | 002,730,632 | ---- | C] () -- C:\WINDOWS\System32\toaasucra.dll
[2010/05/01 11:27:19 | 002,634,512 | ---- | C] () -- C:\WINDOWS\System32\todlljear.dll
[2010/05/01 11:26:23 | 002,144,110 | ---- | C] () -- C:\WINDOWS\System32\pdllhgi.dll
[2010/05/01 11:25:55 | 003,162,796 | ---- | C] () -- C:\WINDOWS\System32\jelinasuje.dll
[2010/05/01 11:25:41 | 003,255,267 | ---- | C] () -- C:\WINDOWS\System32\wilolob.dll
[2010/05/01 11:25:26 | 002,267,852 | ---- | C] () -- C:\WINDOWS\System32\anddllyapi.dll
[2010/05/01 11:25:12 | 003,478,780 | ---- | C] () -- C:\WINDOWS\System32\dllerrtoshe.dll
[2010/05/01 11:25:00 | 002,647,164 | ---- | C] () -- C:\WINDOWS\System32\yhandrip.dll
[2010/05/01 11:24:45 | 003,054,263 | ---- | C] () -- C:\WINDOWS\System32\gasdoasu.dll
[2010/05/01 11:24:30 | 002,075,332 | ---- | C] () -- C:\WINDOWS\System32\edoniapi.dll
[2010/05/01 11:24:15 | 003,025,534 | ---- | C] () -- C:\WINDOWS\System32\wiripah.dll
[2010/05/01 11:24:01 | 003,267,653 | ---- | C] () -- C:\WINDOWS\System32\shecraupp.dll
[2010/05/01 11:23:46 | 002,540,964 | ---- | C] () -- C:\WINDOWS\System32\apiebxblin.dll
[2010/05/01 11:23:30 | 002,642,089 | ---- | C] () -- C:\WINDOWS\System32\ycololo.dll
[2010/05/01 11:23:16 | 002,855,536 | ---- | C] () -- C:\WINDOWS\System32\douppoand.dll
[2010/05/01 11:23:09 | 002,685,495 | ---- | C] () -- C:\WINDOWS\System32\doalinas.dll
[2010/05/01 11:22:06 | 002,526,484 | ---- | C] () -- C:\WINDOWS\System32\p32foor.dll
[2010/05/01 11:21:51 | 002,198,463 | ---- | C] () -- C:\WINDOWS\System32\errwierrlin.dll
[2010/05/01 11:21:37 | 003,259,741 | ---- | C] () -- C:\WINDOWS\System32\errshegidll.dll
[2010/05/01 11:21:22 | 002,272,327 | ---- | C] () -- C:\WINDOWS\System32\jetogto.dll
[2010/05/01 11:21:06 | 003,416,182 | ---- | C] () -- C:\WINDOWS\System32\dllcoetfo.dll
[2010/05/01 11:21:01 | 003,442,672 | ---- | C] () -- C:\WINDOWS\System32\ebxdoarg.dll
[2010/05/01 11:20:01 | 002,620,129 | ---- | C] () -- C:\WINDOWS\System32\craetasulo.dll
[2010/05/01 11:19:46 | 003,625,870 | ---- | C] () -- C:\WINDOWS\System32\crawiaet.dll
[2010/05/01 11:19:40 | 002,487,021 | ---- | C] () -- C:\WINDOWS\System32\asapiexe.dll
[2010/05/01 11:18:25 | 002,630,011 | ---- | C] () -- C:\WINDOWS\System32\apiwiph.dll
[2010/05/01 11:18:11 | 002,602,921 | ---- | C] () -- C:\WINDOWS\System32\apilolinapi.dll
[2010/05/01 11:17:56 | 002,584,315 | ---- | C] () -- C:\WINDOWS\System32\arhnig.dll
[2010/05/01 11:17:47 | 002,202,937 | ---- | C] () -- C:\WINDOWS\System32\hsbex.dll
[2010/05/01 11:17:31 | 002,117,258 | ---- | C] () -- C:\WINDOWS\System32\linarcop.dll
[2010/05/01 11:17:16 | 002,499,127 | ---- | C] () -- C:\WINDOWS\System32\aacray.dll
[2010/05/01 11:17:11 | 003,568,347 | ---- | C] () -- C:\WINDOWS\System32\exsheuplo.dll
[2010/05/01 11:16:06 | 002,800,795 | ---- | C] () -- C:\WINDOWS\System32\asegib.dll
[2010/05/01 11:15:52 | 002,541,654 | ---- | C] () -- C:\WINDOWS\System32\loebxfoar.dll
[2010/05/01 11:15:37 | 002,708,045 | ---- | C] () -- C:\WINDOWS\System32\loripapilin.dll
[2010/05/01 11:15:32 | 002,576,404 | ---- | C] () -- C:\WINDOWS\System32\craeapiar.dll
[2010/05/01 11:14:34 | 002,288,309 | ---- | C] () -- C:\WINDOWS\System32\anddllwinet.dll
[2010/05/01 11:14:19 | 002,325,242 | ---- | C] () -- C:\WINDOWS\System32\winerrpodll.dll
[2010/05/01 11:14:05 | 003,275,444 | ---- | C] () -- C:\WINDOWS\System32\shejejerip.dll
[2010/05/01 11:13:50 | 002,390,623 | ---- | C] () -- C:\WINDOWS\System32\hebxlingi.dll
[2010/05/01 11:13:36 | 002,324,962 | ---- | C] () -- C:\WINDOWS\System32\ebxpoorcra.dll
[2010/05/01 11:13:21 | 002,408,949 | ---- | C] () -- C:\WINDOWS\System32\exjesheh.dll
[2010/05/01 11:13:11 | 002,434,893 | ---- | C] () -- C:\WINDOWS\System32\arnicop.dll
[2010/05/01 11:12:56 | 003,432,150 | ---- | C] () -- C:\WINDOWS\System32\gisapie.dll
[2010/05/01 11:12:42 | 003,516,138 | ---- | C] () -- C:\WINDOWS\System32\arebxebxh.dll
[2010/05/01 11:12:27 | 003,608,608 | ---- | C] () -- C:\WINDOWS\System32\craloars.dll
[2010/05/01 11:12:12 | 002,676,732 | ---- | C] () -- C:\WINDOWS\System32\aasdoas.dll
[2010/05/01 11:11:58 | 003,618,451 | ---- | C] () -- C:\WINDOWS\System32\asupwinni.dll
[2010/05/01 11:11:13 | 002,535,407 | ---- | C] () -- C:\WINDOWS\System32\byevw.dll
[2010/05/01 11:10:50 | 002,415,994 | ---- | C] () -- C:\WINDOWS\System32\shepoloje.dll
[2010/05/01 11:10:28 | 002,626,186 | ---- | C] () -- C:\WINDOWS\System32\lolinripas.dll
[2010/05/01 11:10:22 | 002,975,788 | ---- | C] () -- C:\WINDOWS\System32\wnibe.dll
[2010/05/01 11:09:01 | 002,494,531 | ---- | C] () -- C:\WINDOWS\System32\aspoarex.dll
[2010/05/01 11:08:46 | 002,522,980 | ---- | C] () -- C:\WINDOWS\System32\befofo.dll
[2010/05/01 11:08:22 | 003,490,472 | ---- | C] () -- C:\WINDOWS\System32\dllexgilo.dll
[2010/05/01 11:08:07 | 003,574,459 | ---- | C] () -- C:\WINDOWS\System32\arniriprip.dll
[2010/05/01 11:07:53 | 002,698,121 | ---- | C] () -- C:\WINDOWS\System32\cralojmup.dll
[2010/05/01 11:07:38 | 002,623,977 | ---- | C] () -- C:\WINDOWS\System32\lintoaet.dll
[2010/05/01 11:07:14 | 002,437,663 | ---- | C] () -- C:\WINDOWS\System32\sheandjmet.dll
[2010/05/01 11:07:05 | 003,285,818 | ---- | C] () -- C:\WINDOWS\System32\cowiloy.dll
[2010/05/01 11:06:50 | 002,345,459 | ---- | C] () -- C:\WINDOWS\System32\ebxweet.dll
[2010/05/01 11:06:41 | 002,233,289 | ---- | C] () -- C:\WINDOWS\System32\eloys.dll
[2010/05/01 11:06:26 | 003,230,546 | ---- | C] () -- C:\WINDOWS\System32\errsebxlo.dll
[2010/05/01 11:06:02 | 003,565,682 | ---- | C] () -- C:\WINDOWS\System32\argshefo.dll
[2010/05/01 11:05:47 | 002,642,290 | ---- | C] () -- C:\WINDOWS\System32\apilinupapi.dll
[2010/05/01 11:05:41 | 002,510,820 | ---- | C] () -- C:\WINDOWS\System32\linasuevex.dll
[2010/05/01 11:04:39 | 003,443,058 | ---- | C] () -- C:\WINDOWS\System32\dllcrawlo.dll
[2010/05/01 11:04:24 | 002,455,643 | ---- | C] () -- C:\WINDOWS\System32\32asapiet.dll
[2010/05/01 11:04:10 | 002,445,521 | ---- | C] () -- C:\WINDOWS\System32\dllandasue.dll
[2010/05/01 11:03:55 | 002,473,969 | ---- | C] () -- C:\WINDOWS\System32\dllwarand.dll
[2010/05/01 11:03:41 | 002,566,440 | ---- | C] () -- C:\WINDOWS\System32\poarfos.dll
[2010/05/01 11:03:26 | 002,705,966 | ---- | C] () -- C:\WINDOWS\System32\auptoor.dll
[2010/05/01 11:01:11 | 002,418,404 | ---- | C] () -- C:\WINDOWS\System32\winhapias.dll
[2010/04/30 15:05:18 | 005,384,114 | ---- | C] () -- C:\WINDOWS\System32\hyaex.dll
[2010/04/30 15:04:47 | 005,397,925 | ---- | C] () -- C:\WINDOWS\System32\32linwinerr.dll
[2010/04/30 15:04:15 | 004,601,060 | ---- | C] () -- C:\WINDOWS\System32\linnidllwi.dll
[2010/04/30 15:03:44 | 004,476,929 | ---- | C] () -- C:\WINDOWS\System32\evniapifo.dll
[2010/04/30 15:03:13 | 004,145,804 | ---- | C] () -- C:\WINDOWS\System32\ebxwih32.dll
[2010/04/30 15:02:40 | 004,827,663 | ---- | C] () -- C:\WINDOWS\System32\wyeb.dll
[2010/04/30 15:02:03 | 002,458,375 | ---- | C] () -- C:\WINDOWS\System32\errgicowi.dll
[2010/04/30 15:01:32 | 002,472,187 | ---- | C] () -- C:\WINDOWS\System32\argiyapi.dll
[2010/04/30 15:01:00 | 003,873,663 | ---- | C] () -- C:\WINDOWS\System32\arharje.dll
[2010/04/30 15:00:29 | 003,021,259 | ---- | C] () -- C:\WINDOWS\System32\lohetlo.dll
[2010/04/26 19:30:40 | 000,011,298 | -HS- | C] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\b08620CF7A25y
[2010/04/26 19:30:40 | 000,011,298 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\b08620CF7A25y
[2010/04/26 06:32:39 | 000,005,136 | ---- | C] () -- C:\WINDOWS\System32\youja_.dll
[2010/04/25 10:49:07 | 000,013,194 | -HS- | C] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\3753767991
[2010/04/25 10:38:25 | 000,013,182 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3753767991
[2010/04/25 10:38:25 | 000,013,182 | -HS- | C] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\2245860339
[2010/04/25 10:35:39 | 000,013,190 | -HS- | C] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\2dhtt0G
[2010/04/25 10:35:39 | 000,013,190 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2245860339
[2010/04/25 10:35:35 | 000,012,312 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\2dhtt0G
[2010/04/25 10:35:35 | 000,012,312 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2dhtt0G
[2010/04/24 02:16:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5flf5gf2l.dat
[2010/04/23 15:08:25 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\o.sys
[2010/04/05 09:28:54 | 000,001,824 | ---- | C] () -- C:\WINDOWS\TSearch.INI
[2009/12/09 17:46:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/11/05 17:26:46 | 000,158,208 | ---- | C] () -- C:\Documents and Settings\MORIS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/04 16:17:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2009/11/03 23:40:01 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/11/03 23:34:41 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2009/11/03 23:32:23 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2009/11/03 23:32:23 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2009/11/03 23:32:23 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2009/11/03 23:32:23 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2009/11/03 23:26:29 | 000,000,251 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/09/19 21:59:14 | 007,216,660 | ---- | C] () -- C:\WINDOWS\System32\craniwh.dll
[2007/09/19 21:59:14 | 007,213,748 | ---- | C] () -- C:\WINDOWS\System32\foevebxlo.dll
[2007/09/19 21:59:14 | 006,655,291 | ---- | C] () -- C:\WINDOWS\System32\coniass.dll
[2007/09/19 21:59:14 | 006,429,888 | ---- | C] () -- C:\WINDOWS\System32\jmebxpoy.dll
[2007/09/19 21:59:14 | 006,361,242 | ---- | C] () -- C:\WINDOWS\System32\asudolinor.dll
[2007/09/19 21:59:14 | 006,360,596 | ---- | C] () -- C:\WINDOWS\System32\edlllinlo.dll
[2007/09/19 21:59:14 | 005,948,312 | ---- | C] () -- C:\WINDOWS\System32\foapitocra.dll
[2007/09/19 21:59:14 | 003,889,367 | ---- | C] () -- C:\WINDOWS\System32\arandfop.dll
[2007/09/19 21:59:14 | 003,413,010 | ---- | C] () -- C:\WINDOWS\System32\etetasuh.dll
[2007/09/19 21:59:14 | 002,956,144 | ---- | C] () -- C:\WINDOWS\System32\errcodoy.dll
[2007/09/19 21:59:14 | 002,854,963 | ---- | C] () -- C:\WINDOWS\System32\poevexup.dll
[2007/09/19 21:59:14 | 002,692,885 | ---- | C] () -- C:\WINDOWS\System32\toupbh.dll
[2007/09/19 21:59:14 | 002,546,077 | ---- | C] () -- C:\WINDOWS\System32\basjmb.dll
[2007/09/19 21:59:14 | 002,506,653 | ---- | C] () -- C:\WINDOWS\System32\exjmripebx.dll
[2007/09/19 21:59:14 | 002,325,602 | ---- | C] () -- C:\WINDOWS\System32\ripdllcraerr.dll
[2007/09/19 21:59:14 | 002,184,882 | ---- | C] () -- C:\WINDOWS\System32\winorandar.dll
[2007/09/19 21:59:14 | 002,179,012 | ---- | C] () -- C:\WINDOWS\System32\bjefoex.dll
[2007/09/19 21:59:14 | 001,846,184 | ---- | C] () -- C:\WINDOWS\System32\bpojelo.dll
[2007/09/19 21:59:14 | 001,811,610 | ---- | C] () -- C:\WINDOWS\System32\widlldolo.dll
[2007/09/19 21:59:14 | 001,586,742 | ---- | C] () -- C:\WINDOWS\System32\ya32asu.dll
[2005/08/24 16:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1899/12/30 00:00:00 | 003,567,708 | ---- | C] () -- C:\WINDOWS\System32\ripfouppo.dll
[1899/12/30 00:00:00 | 002,791,591 | ---- | C] () -- C:\WINDOWS\System32\fodojmshe.dll
[1899/12/30 00:00:00 | 002,571,755 | ---- | C] () -- C:\WINDOWS\System32\apipojmlin.dll
[1899/12/30 00:00:00 | 002,453,752 | ---- | C] () -- C:\WINDOWS\System32\polinnidll.dll
[1899/12/30 00:00:00 | 001,241,095 | ---- | C] () -- C:\WINDOWS\System32\exerrapis.dll
[1899/12/30 00:00:00 | 001,094,297 | ---- | C] () -- C:\WINDOWS\System32\winwapiasu.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 25 August 2010 - 03:37 AM

Hello again, please let me know how things are running after the following fix:

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    DRV - [2010/04/23 15:08:25 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
    O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
    O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

    :commands
    [emptytemp]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:08 PM

Posted 30 August 2010 - 07:55 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users