Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Qandr, firefox redirecting to different sites


  • This topic is locked This topic is locked
29 replies to this topic

#1 Hassan H

Hassan H

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 07 June 2010 - 05:31 AM

Dear Sir/Madam,

A detailed explanation of my issue can be found Here. I guess i was told to post a new topic because i didn't follow the preparation guide, and for that I'm truly sorry. To make things easier, here's a quote from my previous post:

QUOTE
Greetings,

Before i start rambling about my problem i would simply like to thank you for all the work you do here, and the valuable input you offer our community.

Today i have a new problem to discuss, and hopefully fix, with your esteemed selves.

Almost three or four days ago, my Google Chrome suddenly stopped working. It would appear as it was loading a page, but that loading process would last indefinitely. Not too long after, my Avast detected a Win32:Qandr [Rtk] and moved the infected file to the chest accordingly, i thought the issue was over.

Two days ago, the domino effect kicked in, and I have been getting many detections of trojans, rootkits, and other malicious software. All are being moved to the avast chest, so as you can imagine that chest is pretty full right now. I took the liberty of writing down the most frequent detections, those being:

Win32:Qandr [Rtk]
Win32:MalbOb-AJ [Cryp]
Win32:Induc
Win32:Alureon-GN [Rrk]
Win32:Dropper-gen [Drp]
Win32:Crypt-GKU [Drop]
Win32:Rootkit-gen [Rtk]


And to make matters more complicated, for the past 24 hours, I keep getting Trojan Horse Blocked notification from avast every 10 minutes or so, 90% of the times its this message:

Trojan Horse Blocked

Object: C:\Windows\Temp\ufrt.tmp\svchost.exe
Infection: Win32:Small-CHC [Trj]
Action: Moved to chest
Process: C:\Windows\system32\svchost.exe



Updated info: One day after my previous post, i stopped getting the Small-CHC repeated detections, but now my firefox is redirecting to many different sites, some of those sites are being blocked by avast as potential malware sites. I also keep getting the Win32:Qandr detection from time to time. My computer doesn't feel slow, just the internet.


I didn't encounter any errors while creating the logs required, i attached whats required and here are the DDS logs:


============

DDS (Ver_10-03-17.01) - NTFSx86
Run by XxX at 13:03:46.08 on 07/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1256.962.1033.18.2048.1237 [GMT 3:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
D:\Program Files\Steam\Steam.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\lxczcoms.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\slmdmsr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\BattlePing\BattleP.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\XxX\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.4.1.10.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\xxx\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Advanced Task Scheduler Basic] "c:\program files\advanced task scheduler basic\advscheduler_bscadm.exe" noshow
uRun: [Steam] "d:\program files\steam\Steam.exe" -silent
uRun: [Web Studio 5.0 Update Setup] c:\users\xxx\appdata\local\{22a05767-4eab-4af6-a400-7e5b87be48e3}\WebStudio5Install.exe /updatesetup
uRun: [Web Studio 5.0 Update Setup for All Users] c:\programdata\{22a05767-4eab-4af6-a400-7e5b87be48e3}\WebStudio5Install.exe /updatesetup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\xxx\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\users\xxx\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.4.1.10.dll/206
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\BattleP.dll
DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {76D9C06F-8FDA-4DB2-804F-E1EF0893713A} = 81.10.124.2 81.10.124.3
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
mASetup: {7E6FA2FF-CC41-4145-9C06-19C1F78DF855} - c:\program files\microsoft\microsoft maren\bin\reg.exe
mASetup: {970EA2E9-E7B8-45E1-9CB5-0DEB37C2C28D} - %SystemRoot%\System32\regsvr32.exe /s c:\program files\microsoft\microsoft maren\bin\TextService.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\xxx\appdata\roaming\mozilla\firefox\profiles\bh5grulr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\xxx\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\xxx\appdata\roaming\mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-11 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-11 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-11 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-11 40384]
R3 BATTLEP;BATTLEP;c:\program files\battleping\BattleP.exe [2009-12-25 1568768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]

=============== Created Last 30 ================

2010-06-07 09:56:46 176 ----a-w- c:\users\xxx\defogger_reenable
2010-06-02 08:26:52 0 d-----w- c:\users\xxx\appdata\roaming\MyLogoMaker
2010-06-02 08:21:27 0 d-----w- c:\program files\MySoftware
2010-06-02 08:13:18 90112 ----a-w- c:\windows\unvise32.exe
2010-06-02 08:11:59 0 d-----w- c:\program files\The Logo Creator v5
2010-06-02 07:11:44 0 d-----w- c:\users\xxx\appdata\roaming\Artisteer
2010-06-02 07:09:17 0 d-----w- c:\program files\Artisteer 2
2010-06-01 14:41:18 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-06-01 08:25:09 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-06-01 08:25:09 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-06-01 08:25:09 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-06-01 08:25:08 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-01 08:24:00 0 d-----w- c:\windows\system32\directx
2010-06-01 08:21:05 0 d-----w- c:\program files\common files\BioWare
2010-06-01 08:03:14 0 d-----w- c:\users\xxx\appdata\roaming\Malwarebytes
2010-06-01 08:02:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 08:02:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 08:02:51 0 d-----w- c:\programdata\Malwarebytes
2010-06-01 08:02:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 15:20:41 65536 --sha-w- c:\users\xxx\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TM.blf
2010-05-31 15:20:41 524288 --sha-w- c:\users\xxx\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000002.regtrans-ms
2010-05-31 15:20:41 524288 --sha-w- c:\users\xxx\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000001.regtrans-ms
2010-05-29 01:10:57 0 d-----w- c:\programdata\SEGA Corporation
2010-05-25 17:06:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-25 14:59:24 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-25 14:59:23 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-25 14:59:15 0 d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2010-05-25 14:57:33 0 d-----w- c:\users\xxx\appdata\roaming\Prison Break
2010-05-24 16:30:59 1443252 ----a-w- C:\Pligg CMS 1.0.4.zip
2010-05-23 07:50:34 188676605 ----a-w- c:\windows\MEMORY.DMP
2010-05-21 20:33:55 0 d-----w- c:\program files\common files\PX Storage Engine
2010-05-21 14:25:25 0 dc-h--w- c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}
2010-05-21 14:24:33 0 d-----w- c:\program files\BackToTheBeach
2010-05-21 14:24:32 0 d-----w- c:\users\xxx\appdata\roaming\BackToTheBeach
2010-05-20 15:01:17 823808 ----a-w- c:\windows\system32\drivers\seufxm.sys
2010-05-20 08:00:18 938272 ----a-w- c:\windows\system32\wodFtpDLX.OCX
2010-05-20 08:00:13 0 d-----w- c:\program files\CoffeeCup Software
2010-05-20 01:35:03 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-05-20 01:35:03 0 d-----w- c:\program files\common files\SourceTec
2010-05-20 01:34:53 0 d-----w- c:\program files\SourceTec
2010-05-19 18:49:56 0 d-----w- c:\users\xxx\appdata\roaming\SWiSH Max3
2010-05-19 18:48:37 0 d-----w- c:\program files\LameACM
2010-05-19 18:48:15 0 d-----w- c:\program files\common files\SWiSHzone.com
2010-05-19 18:48:10 0 d-----w- c:\program files\SWiSH Max3
2010-05-19 18:03:33 0 d-----w- c:\program files\Show.kit 2.1
2010-05-19 18:02:18 0 d-----w- c:\users\xxx\appdata\roaming\Thinstall
2010-05-19 17:35:14 0 d-----w- c:\program files\A4DeskPro
2010-05-19 16:45:32 0 d-----w- c:\users\xxx\appdata\roaming\A4DeskPro
2010-05-19 03:22:57 0 d-----w- c:\programdata\ALM
2010-05-19 03:21:22 0 d-----w- c:\program files\Bonjour
2010-05-19 03:06:52 0 d-----w- c:\program files\common files\Macrovision Shared
2010-05-19 02:14:40 0 d-----w- c:\program files\Flash Website Design
2010-05-19 02:02:08 0 d-----w- c:\programdata\MAGIX
2010-05-19 02:00:19 0 d-----w- c:\users\xxx\appdata\roaming\MAGIX
2010-05-19 01:59:30 0 d-----w- c:\programdata\Xara
2010-05-19 01:59:30 0 d-----w- c:\program files\Xara
2010-05-18 03:30:43 0 d-----w- c:\users\xxx\appdata\roaming\Avanquest
2010-05-18 01:57:17 0 d-----w- c:\programdata\BVRP Software
2010-05-18 01:57:17 0 d-----w- c:\programdata\Avanquest
2010-05-18 01:49:23 0 d-----w- c:\program files\Avanquest
2010-05-17 14:40:20 0 d-----w- c:\programdata\FLEXnet
2010-05-17 13:05:28 0 d-----w- c:\program files\common files\MSSoap
2010-05-15 23:14:03 0 d-----w- c:\users\xxx\appdata\roaming\Aleo Software
2010-05-15 23:13:31 0 d-----w- c:\program files\Aleo Software
2010-05-15 06:18:23 0 d-----w- c:\program files\Flash Effect Maker
2010-05-15 04:40:51 423 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Bonus Intro.dat
2010-05-15 04:40:51 114818 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Bonus Intro.bmp
2010-05-15 04:40:37 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-05-15 04:40:37 11697 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Version 2-4.dat
2010-05-15 04:40:37 114818 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Version 2-4.bmp
2010-05-15 04:40:24 0 d-----w- c:\program files\Intro Wizard Software
2010-05-15 02:10:52 17686528 ----a-w- c:\windows\system32\mkl_blueripple.dll
2010-05-11 01:52:39 6 ----a-w- c:\windows\system32\sitesecuredll.inf
2010-05-11 01:52:00 0 d-----w- c:\program files\TrendyFlash Site Builder
2010-05-10 23:11:40 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-10 23:10:45 0 d-----w- c:\programdata\Alwil Software

==================== Find3M ====================

2010-06-06 11:37:27 138592 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-06 11:37:18 219128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-01 14:41:52 138056 ----a-w- c:\users\xxx\appdata\roaming\PnkBstrK.sys
2010-05-15 02:09:00 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-15 02:09:00 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 08:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 16:41:38 313168 ----a-w- c:\windows\system32\WPPFilt.dll
2010-04-23 11:27:01 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-15 02:32:57 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-12 07:36:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-11 13:54:28 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-11 13:54:28 172032 ------w- c:\windows\Setup1.exe
2010-04-11 13:49:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-11 13:49:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-28 14:00:26 196608 ----a-w- c:\windows\system32\lp.dll
2010-03-22 11:22:42 1247776 ----a-w- c:\windows\RtlExUpd.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:04:38.26 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 10 June 2010 - 07:12 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 June 2010 - 11:12 AM

Hello and thank you very much for your response, Im still having the same issues described in my original posts in addition to a new repeated detection by avast, here is the exact message I get: ( Every 10 minutes or so)

Dropper Blocked
Object: C:\Windows\Temp\ttqd.tmp\svchost.exe
Infection: Win32:Dropper-gen [Drp]
Action: Moved to chest
Process: C:\Windows\system32\svchost.exe


Here are the logs you requested:


OTL Logs:

OTL logfile created on: 11/06/2010 06:27:56 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\XxX\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0d:\pagefile.sys 4000 18000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.39 Gb Total Space | 96.62 Gb Free Space | 66.00% Space Free | Partition Type: NTFS
Drive D: | 785.03 Gb Total Space | 359.55 Gb Free Space | 45.80% Space Free | Partition Type: NTFS
Drive E: | 39.06 Gb Total Space | 18.41 Gb Free Space | 47.13% Space Free | Partition Type: NTFS
Drive F: | 58.59 Gb Total Space | 17.86 Gb Free Space | 30.48% Space Free | Partition Type: NTFS
Drive G: | 51.39 Gb Total Space | 1.65 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive H: | 7.81 Mb Total Space | 0.07 Mb Free Space | 0.85% Space Free | Partition Type: NTFS
Drive I: | 5.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: HASSANPC
Current User Name: XxX
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/11 18:24:47 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Users\XxX\Downloads\OTL.exe
PRC - [2010/05/07 12:42:46 | 000,083,440 | ---- | M] (Google) -- C:\Users\XxX\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
PRC - [2010/05/06 23:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/11 16:49:14 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/04/01 20:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/21 08:40:22 | 002,956,536 | ---- | M] (www.BitComet.com) -- C:\Program Files\BitComet\BitComet.exe
PRC - [2010/01/19 14:10:54 | 008,452,640 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/12/25 02:27:14 | 001,568,768 | ---- | M] () -- C:\Program Files\BattlePing\BattleP.exe
PRC - [2009/09/30 19:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/07/14 04:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 04:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/27 15:20:02 | 000,074,408 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
PRC - [2009/04/27 15:19:38 | 000,058,024 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe
PRC - [2007/05/11 03:06:38 | 000,341,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
PRC - [2007/04/19 15:43:42 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxczcoms.exe
PRC - [2006/10/27 15:23:04 | 000,347,432 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
PRC - [2005/05/11 19:53:26 | 000,061,440 | ---- | M] ( ) -- C:\Windows\System32\slmdmsr.exe


========== Modules (SafeList) ==========

MOD - [2010/06/11 18:24:47 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Users\XxX\Downloads\OTL.exe
MOD - [2009/07/14 04:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 04:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 04:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 04:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 04:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 04:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 04:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 04:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 04:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 04:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 04:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 04:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/06/08 19:56:38 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Windows\System32\FastUv32.dll -- (FastUserSwitchingCompatibility)
SRV - [2010/05/19 06:06:52 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/05/17 19:27:06 | 000,395,048 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/12/25 02:27:14 | 001,568,768 | ---- | M] () [On_Demand | Running] -- C:\Program Files\BattlePing\BattleP.exe -- (BATTLEP)
SRV - [2009/07/14 04:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 04:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 04:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 04:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 04:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 04:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 04:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 04:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 04:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 04:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 04:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 04:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 04:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 04:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 04:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 04:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 04:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 04:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 04:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 04:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 04:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2007/04/19 15:43:42 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxczcoms.exe -- (lxcz_device)
SRV - [2005/05/11 19:53:26 | 000,061,440 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\slmdmsr.exe -- (SLService)


========== Driver Services (SafeList) ==========

DRV - [2010/06/08 19:56:36 | 000,002,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\mipsinf.sys -- (mipsinf)
DRV - [2010/05/25 17:59:24 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/05/25 17:59:23 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/05/06 23:39:23 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 23:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 23:34:27 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 23:34:10 | 000,051,792 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/05/06 23:33:47 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/15 05:32:57 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/01/19 13:37:54 | 002,991,328 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/01/12 12:03:34 | 011,586,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/11/20 16:26:50 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/07/14 04:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 04:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 04:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 04:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 04:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 04:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 04:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 04:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/14 04:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 04:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 04:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 04:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 04:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 04:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 04:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 04:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 04:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 04:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 04:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 04:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 04:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 04:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 04:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 04:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 04:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 04:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 04:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 04:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 04:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 04:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 04:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 04:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 03:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 03:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 02:55:25 | 000,018,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2009/07/14 02:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 02:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 02:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 02:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 02:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 02:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 02:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 02:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 02:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 02:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 02:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 02:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 02:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 02:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 01:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/14 01:02:53 | 000,311,296 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2005/05/11 19:31:42 | 000,698,848 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SLDRV\slntamr.sys -- (Slntamr)
DRV - [2005/05/11 19:28:18 | 000,014,680 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\SLDRV\RecAgent.sys -- (RecAgent)
DRV - [2005/05/11 19:25:50 | 000,237,616 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SLDRV\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2005/05/11 19:20:58 | 000,101,328 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SLDRV\slnthal.sys -- (SlNtHal)
DRV - [2005/05/11 19:19:14 | 001,464,848 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SLDRV\mtlstrm.sys -- (Mtlstrm)
DRV - [2005/05/11 19:09:50 | 000,013,248 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SLDRV\slwdmsup.sys -- (SlWdmSup)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://shop.thefreevpn.com/home.php
IE - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 61 2C FC 4E E9 04 CB 01 [binary data]
IE - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2010/04/11 16:49:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/20 05:13:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/20 05:13:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2010/05/20 05:14:34 | 000,000,000 | ---D | M] -- C:\Users\XxX\AppData\Roaming\Mozilla\Extensions
[2010/05/20 05:14:34 | 000,000,000 | ---D | M] -- C:\Users\XxX\AppData\Roaming\Mozilla\Firefox\Profiles\bh5grulr.default\extensions
[2010/05/20 05:13:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/11 00:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [lxczbmgr.exe] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000..\Run: [Advanced Task Scheduler Basic] C:\Program Files\Advanced Task Scheduler Basic\advscheduler_bscadm.exe (Southsoftware.com)
O4 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000..\Run: [Steam] D:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000..\Run: [Web Studio 5.0 Update Setup] C:\Users\XxX\AppData\Local\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe File not found
O4 - HKU\S-1-5-21-1017075052-1213670596-3501502907-1000..\Run: [Web Studio 5.0 Update Setup for All Users] C:\ProgramData\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe (Back To The Beach )
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\XxX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O4 - Startup: C:\Users\XxX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\BattleP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\BattleP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\BattleP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\BattleP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Windows\System32\BattleP.dll ()
O13 - gopher Prefix: missing
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} http://www.worldwinner.com/games/v48/brickout/brickout.cab (Brickout Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 00:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/11 00:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/09/04 09:10:21 | 000,214,408 | R--- | M] (Konami Digital Entertainment Co., Ltd.) - I:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2009/09/04 09:10:21 | 000,000,047 | R--- | M] () - I:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{8ff2a69b-456d-11df-8590-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{8ff2a69b-456d-11df-8590-806e6f6e6963}\Shell\AutoRun\command - "" = I:\autorun.exe -- [2009/09/04 09:10:21 | 000,214,408 | R--- | M] (Konami Digital Entertainment Co., Ltd.)
O33 - MountPoints2\{9432c355-4837-11df-b42f-0016e6d7f7b7}\Shell - "" = AutoRun
O33 - MountPoints2\{9432c355-4837-11df-b42f-0016e6d7f7b7}\Shell\AutoRun\command - "" = K:\Autorun.exe -- File not found
O33 - MountPoints2\{9432c356-4837-11df-b42f-0016e6d7f7b7}\Shell - "" = AutoRun
O33 - MountPoints2\{9432c356-4837-11df-b42f-0016e6d7f7b7}\Shell\AutoRun\command - "" = L:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/08 15:15:08 | 000,000,000 | ---D | C] -- C:\Program Files\kSolo
[2010/06/08 15:01:46 | 000,025,984 | ---- | C] (The OpenVPN Project) -- C:\Windows\System32\drivers\tap0901.sys
[2010/06/08 01:18:25 | 000,000,000 | ---D | C] -- C:\Program Files\VAMPIX WAPLINK
[2010/06/07 13:05:25 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\LOGS LOGS
[2010/06/05 08:53:22 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Xara
[2010/06/03 13:33:07 | 007,247,872 | ---- | C] (www.BabelStone.co.uk/Software/BabelPad.html) -- C:\Users\XxX\Desktop\BabelPad.exe
[2010/06/02 15:03:26 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Artisteer Templates
[2010/06/02 11:26:54 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\MyLogoMaker
[2010/06/02 11:26:52 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\MyLogoMaker
[2010/06/02 11:21:27 | 000,000,000 | ---D | C] -- C:\Program Files\MySoftware
[2010/06/02 11:13:18 | 000,090,112 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2010/06/02 11:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\The Logo Creator v5
[2010/06/02 10:11:44 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Artisteer
[2010/06/02 10:09:17 | 000,000,000 | ---D | C] -- C:\Program Files\Artisteer 2
[2010/06/01 18:41:06 | 000,000,000 | RH-D | C] -- C:\Users\XxX\AppData\Roaming\SecuROM
[2010/06/01 16:05:59 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\BFBC2
[2010/06/01 11:26:46 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\BioWare
[2010/06/01 11:25:09 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_6.dll
[2010/06/01 11:25:09 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_6.dll
[2010/06/01 11:25:09 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_4.dll
[2010/06/01 11:25:08 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_7.dll
[2010/06/01 11:24:00 | 000,000,000 | ---D | C] -- C:\Windows\System32\directx
[2010/06/01 11:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare
[2010/06/01 11:03:14 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Malwarebytes
[2010/06/01 11:02:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/06/01 11:02:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/06/01 11:02:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/01 11:02:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/31 17:18:32 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/31 17:14:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/31 17:14:17 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/05/31 05:46:49 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Local\THQ
[2010/05/29 04:10:57 | 000,000,000 | ---D | C] -- C:\ProgramData\SEGA Corporation
[2010/05/29 04:01:42 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Alpha Protocol
[2010/05/27 14:37:12 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Telltale Games
[2010/05/27 14:34:01 | 000,000,000 | ---D | C] -- C:\Program Files\Ubisoft
[2010/05/25 17:59:15 | 000,000,000 | ---D | C] -- C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
[2010/05/25 17:57:33 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Prison Break
[2010/05/24 20:19:05 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\FileZilla
[2010/05/24 20:18:50 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2010/05/23 10:50:59 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/05/22 14:23:31 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\ImgBurn
[2010/05/22 13:50:40 | 000,000,000 | ---D | C] -- C:\Program Files\ImgBurn
[2010/05/21 23:34:56 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Local\Serif
[2010/05/21 23:34:56 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\MoviePlus
[2010/05/21 23:33:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2010/05/21 17:25:25 | 000,000,000 | -H-D | C] -- C:\ProgramData\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}
[2010/05/21 17:24:33 | 000,000,000 | ---D | C] -- C:\Program Files\BackToTheBeach
[2010/05/21 17:24:32 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\BackToTheBeach
[2010/05/21 03:51:52 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Hassan Intros
[2010/05/20 11:07:15 | 000,000,000 | ---D | C] -- C:\Users\XxX\Desktop\New Folder
[2010/05/20 11:00:18 | 000,938,272 | ---- | C] (WeOnlyDo! Inc.) -- C:\Windows\System32\wodFtpDLX.OCX
[2010/05/20 11:00:13 | 000,000,000 | ---D | C] -- C:\Program Files\CoffeeCup Software
[2010/05/20 05:14:27 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Mozilla
[2010/05/20 05:14:27 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Local\Mozilla
[2010/05/20 05:13:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/20 04:35:03 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml4a.dll
[2010/05/20 04:35:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SourceTec
[2010/05/20 04:34:53 | 000,000,000 | ---D | C] -- C:\Program Files\SourceTec
[2010/05/19 22:23:15 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Sports
[2010/05/19 22:21:20 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Sliding Doors
[2010/05/19 22:06:06 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\AL Sakher
[2010/05/19 21:50:29 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\HiFi
[2010/05/19 21:49:56 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\SWiSH Max3
[2010/05/19 21:48:37 | 000,000,000 | ---D | C] -- C:\Program Files\LameACM
[2010/05/19 21:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SWiSHzone.com
[2010/05/19 21:48:10 | 000,000,000 | ---D | C] -- C:\Program Files\SWiSH Max3
[2010/05/19 21:03:33 | 000,000,000 | ---D | C] -- C:\Program Files\Show.kit 2.1
[2010/05/19 21:02:18 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Thinstall
[2010/05/19 21:02:18 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Local\Thinstall
[2010/05/19 20:35:14 | 000,000,000 | ---D | C] -- C:\Program Files\A4DeskPro
[2010/05/19 19:45:32 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\A4DeskPro
[2010/05/19 06:22:57 | 000,000,000 | ---D | C] -- C:\ProgramData\ALM
[2010/05/19 06:21:22 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/19 06:06:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/05/19 05:43:41 | 000,000,000 | ---D | C] -- C:\Users\XxX\Desktop\Adobe CS3
[2010/05/19 05:14:40 | 000,000,000 | ---D | C] -- C:\Program Files\Flash Website Design
[2010/05/19 05:02:08 | 000,000,000 | ---D | C] -- C:\ProgramData\MAGIX
[2010/05/19 05:00:19 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\MAGIX
[2010/05/19 05:00:18 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Local\Xara
[2010/05/19 04:59:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Xara
[2010/05/19 04:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\Xara
[2010/05/18 06:30:44 | 000,000,000 | ---D | C] -- C:\Users\XxX\Documents\Web Easy
[2010/05/18 06:30:43 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Avanquest
[2010/05/18 04:57:17 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\BVRP Software
[2010/05/18 04:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\BVRP Software
[2010/05/18 04:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Avanquest
[2010/05/18 04:49:23 | 000,000,000 | ---D | C] -- C:\Program Files\Avanquest
[2010/05/18 04:45:18 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\InstallShield
[2010/05/17 17:40:20 | 000,000,000 | ---D | C] -- C:\ProgramData\FLEXnet
[2010/05/17 16:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2010/05/16 02:14:03 | 000,000,000 | ---D | C] -- C:\Users\XxX\AppData\Roaming\Aleo Software
[2010/05/16 02:13:31 | 000,000,000 | ---D | C] -- C:\Program Files\Aleo Software
[2010/05/15 09:18:23 | 000,000,000 | ---D | C] -- C:\Program Files\Flash Effect Maker
[2010/05/15 07:40:24 | 000,000,000 | ---D | C] -- C:\Program Files\Intro Wizard Software
[2010/05/15 05:10:52 | 017,686,528 | ---- | C] (Intel Corporation / Blue Ripple Sound Limited) -- C:\Windows\System32\mkl_blueripple.dll
[2010/04/24 20:42:27 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxczinpa.dll
[2010/04/24 20:42:27 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxcziesc.dll
[2010/04/24 20:42:27 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXCZhcp.dll
[2010/04/24 20:42:26 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxczserv.dll
[2010/04/24 20:42:26 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\lxczusb1.dll
[2010/04/24 20:42:26 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxczhbn3.dll
[2010/04/24 20:42:26 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxczpmui.dll
[2010/04/24 20:42:26 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxczlmpm.dll
[2010/04/24 20:42:26 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxczprox.dll
[2010/04/24 20:42:26 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxczpplc.dll
[2010/04/24 20:42:25 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxczcomc.dll
[2010/04/24 20:42:25 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxczcomm.dll
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/11 18:30:30 | 004,718,592 | -HS- | M] () -- C:\Users\XxX\ntuser.dat
[2010/06/11 18:30:04 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\seufxm.sys
[2010/06/11 18:27:35 | 000,010,354 | ---- | M] () -- C:\Users\XxX\Desktop\Malware.docx
[2010/06/11 18:25:16 | 000,000,162 | -H-- | M] () -- C:\Users\XxX\Desktop\~$alware.docx
[2010/06/11 18:17:00 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000UA.job
[2010/06/11 18:00:00 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/06/11 17:03:49 | 000,138,592 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/06/11 17:03:41 | 000,219,128 | ---- | M] () -- C:\Windows\System32\PnkBstrB.xtr
[2010/06/10 20:28:55 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000Core.job
[2010/06/10 13:08:21 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/10 13:08:21 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/10 13:08:21 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/09 08:17:30 | 000,002,353 | ---- | M] () -- C:\Users\XxX\Desktop\Google Chrome.lnk
[2010/06/08 19:56:38 | 000,053,248 | ---- | M] () -- C:\Windows\System32\FastUv32.dll
[2010/06/08 19:56:36 | 000,002,304 | ---- | M] () -- C:\Windows\System32\mipsinf.sys
[2010/06/07 14:44:04 | 000,017,136 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/07 14:44:04 | 000,017,136 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/07 14:36:57 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/07 14:36:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/07 14:36:35 | 1610,260,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/07 14:34:56 | 001,543,922 | -H-- | M] () -- C:\Users\XxX\AppData\Local\IconCache.db
[2010/06/07 12:59:30 | 001,931,888 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/07 12:57:04 | 000,000,176 | ---- | M] () -- C:\Users\XxX\defogger_reenable
[2010/06/05 09:52:14 | 000,187,400 | ---- | M] () -- C:\Users\XxX\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/06/03 13:38:01 | 000,060,507 | ---- | M] () -- C:\Users\XxX\Documents\pluggable.php
[2010/06/03 13:36:17 | 000,114,568 | ---- | M] () -- C:\Users\XxX\Documents\functions.php
[2010/06/02 16:49:45 | 000,299,224 | ---- | M] () -- C:\Users\XxX\Documents\yara.artx
[2010/06/02 11:23:54 | 000,001,123 | ---- | M] () -- C:\Users\XxX\Desktop\MyLogo Maker.lnk
[2010/06/02 11:15:56 | 000,069,930 | ---- | M] () -- C:\Users\XxX\Documents\Yara1.png
[2010/06/02 11:13:14 | 000,001,027 | ---- | M] () -- C:\Users\XxX\Desktop\The Logo Creator v5.exe.lnk
[2010/06/02 10:10:32 | 000,001,087 | ---- | M] () -- C:\Users\XxX\Desktop\Artisteer 2.lnk
[2010/06/01 17:41:52 | 000,138,056 | ---- | M] () -- C:\Users\XxX\AppData\Roaming\PnkBstrK.sys
[2010/06/01 17:41:18 | 002,434,856 | ---- | M] () -- C:\Windows\System32\pbsvc_bc2.exe
[2010/06/01 14:09:21 | 188,676,605 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/01 11:27:33 | 000,524,288 | -HS- | M] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000002.regtrans-ms
[2010/06/01 11:27:33 | 000,524,288 | -HS- | M] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000001.regtrans-ms
[2010/06/01 11:27:33 | 000,065,536 | -HS- | M] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TM.blf
[2010/06/01 11:23:53 | 000,000,740 | ---- | M] () -- C:\Users\XxX\Desktop\Mass Effect 2.lnk
[2010/06/01 11:02:57 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/27 12:20:10 | 000,002,072 | ---- | M] () -- C:\Users\Public\Desktop\Serif WebPlus X4.lnk
[2010/05/25 20:06:52 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/05/25 18:02:00 | 000,000,949 | ---- | M] () -- C:\Users\Public\Desktop\Prison Break - The Conspiracy.lnk
[2010/05/25 17:59:24 | 000,281,760 | ---- | M] () -- C:\Windows\System32\drivers\atksgt.sys
[2010/05/25 17:59:23 | 000,025,888 | ---- | M] () -- C:\Windows\System32\drivers\lirsgt.sys
[2010/05/24 20:18:55 | 000,001,950 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2010/05/24 19:30:45 | 001,443,252 | ---- | M] () -- C:\Pligg CMS 1.0.4.zip
[2010/05/24 18:51:32 | 000,010,209 | ---- | M] () -- C:\Users\XxX\Desktop\New Microsoft Office Word Document (3).docx
[2010/05/22 13:50:41 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\ImgBurn.lnk
[2010/05/22 08:11:27 | 000,001,008 | ---- | M] () -- C:\Users\XxX\Desktop\wvs.exe - Shortcut.lnk
[2010/05/21 23:34:04 | 000,002,104 | ---- | M] () -- C:\Users\Public\Desktop\Serif MoviePlus X3.lnk
[2010/05/21 17:25:01 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Web Studio 5.0.lnk
[2010/05/20 11:00:28 | 000,002,198 | ---- | M] () -- C:\Users\XxX\Desktop\CoffeeCup Web Form Builder.lnk
[2010/05/20 10:19:51 | 000,280,675 | ---- | M] () -- C:\Users\XxX\Documents\AlSakherNavBar.sqf
[2010/05/20 05:13:51 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/05/20 05:09:34 | 000,001,195 | ---- | M] () -- C:\Users\Public\Desktop\Aleo Flash Intro Banner Maker.lnk
[2010/05/20 04:35:05 | 000,001,100 | ---- | M] () -- C:\Users\Public\Desktop\Sothink SWF Quicker.lnk
[2010/05/19 21:48:41 | 000,000,988 | ---- | M] () -- C:\Users\Public\Desktop\SWiSH Max3.lnk
[2010/05/19 21:12:53 | 000,164,352 | ---- | M] () -- C:\Windows\System32\SpoonUninstall.exe
[2010/05/19 21:12:53 | 000,011,697 | ---- | M] () -- C:\Windows\System32\SpoonUninstall-Flash4D Version 2-4.dat
[2010/05/19 21:12:48 | 000,001,177 | ---- | M] () -- C:\Users\XxX\Desktop\Flash4D - Flash Intro Builder.lnk
[2010/05/19 21:12:32 | 000,114,818 | ---- | M] () -- C:\Windows\System32\SpoonUninstall-Flash4D Version 2-4.bmp
[2010/05/19 20:35:20 | 000,000,927 | ---- | M] () -- C:\Users\XxX\Desktop\A4DeskPro.lnk
[2010/05/19 05:00:10 | 000,001,000 | ---- | M] () -- C:\Users\Public\Desktop\Xara Web Designer 6.lnk
[2010/05/18 19:21:18 | 000,054,096 | ---- | M] () -- C:\Users\XxX\Documents\Site1.wpp
[2010/05/18 18:08:29 | 000,002,072 | ---- | M] () -- C:\Users\Public\Desktop\Serif WebPlus X2.lnk
[2010/05/18 04:57:15 | 000,002,119 | ---- | M] () -- C:\Users\Public\Desktop\Web Easy Professional 8.lnk
[2010/05/16 02:13:34 | 000,001,190 | ---- | M] () -- C:\Users\XxX\Desktop\Aleo Flash Slideshow Gallery Maker.lnk
[2010/05/15 09:19:32 | 000,001,148 | ---- | M] () -- C:\Users\XxX\Desktop\flasheffect.exe - Shortcut.lnk
[2010/05/15 07:40:51 | 000,000,423 | ---- | M] () -- C:\Windows\System32\SpoonUninstall-Flash4D Bonus Intro.dat
[2010/05/15 07:40:40 | 000,114,818 | ---- | M] () -- C:\Windows\System32\SpoonUninstall-Flash4D Bonus Intro.bmp
[2010/05/15 05:09:00 | 000,445,016 | ---- | M] (Creative Labs) -- C:\Windows\System32\wrap_oal.dll
[2010/05/15 05:09:00 | 000,109,144 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\System32\OpenAL32.dll
[2010/05/13 05:31:41 | 000,010,989 | ---- | M] () -- C:\Users\XxX\Desktop\New Microsoft Office Word Document (2).docx
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/11 18:25:16 | 000,000,162 | -H-- | C] () -- C:\Users\XxX\Desktop\~$alware.docx
[2010/06/11 18:24:54 | 000,010,354 | ---- | C] () -- C:\Users\XxX\Desktop\Malware.docx
[2010/06/08 19:56:38 | 000,053,248 | ---- | C] () -- C:\Windows\System32\FastUv32.dll
[2010/06/08 19:56:36 | 000,002,304 | ---- | C] () -- C:\Windows\System32\mipsinf.sys
[2010/06/07 12:56:46 | 000,000,176 | ---- | C] () -- C:\Users\XxX\defogger_reenable
[2010/06/03 13:37:36 | 000,060,507 | ---- | C] () -- C:\Users\XxX\Documents\pluggable.php
[2010/06/03 13:19:16 | 000,114,568 | ---- | C] () -- C:\Users\XxX\Documents\functions.php
[2010/06/02 15:02:05 | 000,299,224 | ---- | C] () -- C:\Users\XxX\Documents\yara.artx
[2010/06/02 11:23:54 | 000,001,123 | ---- | C] () -- C:\Users\XxX\Desktop\MyLogo Maker.lnk
[2010/06/02 11:15:56 | 000,069,930 | ---- | C] () -- C:\Users\XxX\Documents\Yara1.png
[2010/06/02 11:13:14 | 000,001,027 | ---- | C] () -- C:\Users\XxX\Desktop\The Logo Creator v5.exe.lnk
[2010/06/02 10:10:32 | 000,001,087 | ---- | C] () -- C:\Users\XxX\Desktop\Artisteer 2.lnk
[2010/06/01 17:41:18 | 002,434,856 | ---- | C] () -- C:\Windows\System32\pbsvc_bc2.exe
[2010/06/01 11:23:53 | 000,000,740 | ---- | C] () -- C:\Users\XxX\Desktop\Mass Effect 2.lnk
[2010/06/01 11:02:57 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/31 18:20:41 | 000,524,288 | -HS- | C] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000002.regtrans-ms
[2010/05/31 18:20:41 | 000,524,288 | -HS- | C] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TMContainer00000000000000000001.regtrans-ms
[2010/05/31 18:20:41 | 000,065,536 | -HS- | C] () -- C:\Users\XxX\ntuser.dat{fea3a01a-6cc7-11df-b2ae-0016e6d7f7b7}.TM.blf
[2010/05/27 12:20:09 | 000,002,072 | ---- | C] () -- C:\Users\Public\Desktop\Serif WebPlus X4.lnk
[2010/05/25 20:06:52 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2010/05/25 18:02:00 | 000,000,949 | ---- | C] () -- C:\Users\Public\Desktop\Prison Break - The Conspiracy.lnk
[2010/05/25 17:59:24 | 000,281,760 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2010/05/25 17:59:23 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2010/05/24 20:18:55 | 000,001,950 | ---- | C] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2010/05/24 19:30:59 | 001,443,252 | ---- | C] () -- C:\Pligg CMS 1.0.4.zip
[2010/05/24 18:46:36 | 000,010,209 | ---- | C] () -- C:\Users\XxX\Desktop\New Microsoft Office Word Document (3).docx
[2010/05/23 10:50:34 | 188,676,605 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/22 13:50:41 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\ImgBurn.lnk
[2010/05/22 08:11:27 | 000,001,008 | ---- | C] () -- C:\Users\XxX\Desktop\wvs.exe - Shortcut.lnk
[2010/05/21 23:34:04 | 000,002,104 | ---- | C] () -- C:\Users\Public\Desktop\Serif MoviePlus X3.lnk
[2010/05/21 17:25:01 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Web Studio 5.0.lnk
[2010/05/20 18:01:17 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\seufxm.sys
[2010/05/20 11:00:28 | 000,002,198 | ---- | C] () -- C:\Users\XxX\Desktop\CoffeeCup Web Form Builder.lnk
[2010/05/20 06:56:04 | 000,280,675 | ---- | C] () -- C:\Users\XxX\Documents\AlSakherNavBar.sqf
[2010/05/20 05:13:51 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/05/20 05:09:34 | 000,001,195 | ---- | C] () -- C:\Users\Public\Desktop\Aleo Flash Intro Banner Maker.lnk
[2010/05/20 04:35:05 | 000,001,100 | ---- | C] () -- C:\Users\Public\Desktop\Sothink SWF Quicker.lnk
[2010/05/19 21:48:41 | 000,000,988 | ---- | C] () -- C:\Users\Public\Desktop\SWiSH Max3.lnk
[2010/05/19 20:35:20 | 000,000,927 | ---- | C] () -- C:\Users\XxX\Desktop\A4DeskPro.lnk
[2010/05/19 05:00:10 | 000,001,000 | ---- | C] () -- C:\Users\Public\Desktop\Xara Web Designer 6.lnk
[2010/05/19 02:47:01 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/05/18 18:18:00 | 000,054,096 | ---- | C] () -- C:\Users\XxX\Documents\Site1.wpp
[2010/05/18 18:08:29 | 000,002,072 | ---- | C] () -- C:\Users\Public\Desktop\Serif WebPlus X2.lnk
[2010/05/18 04:57:15 | 000,002,119 | ---- | C] () -- C:\Users\Public\Desktop\Web Easy Professional 8.lnk
[2010/05/16 02:13:34 | 000,001,190 | ---- | C] () -- C:\Users\XxX\Desktop\Aleo Flash Slideshow Gallery Maker.lnk
[2010/05/15 09:19:32 | 000,001,148 | ---- | C] () -- C:\Users\XxX\Desktop\flasheffect.exe - Shortcut.lnk
[2010/05/15 07:40:51 | 000,114,818 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-Flash4D Bonus Intro.bmp
[2010/05/15 07:40:51 | 000,000,423 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-Flash4D Bonus Intro.dat
[2010/05/15 07:40:37 | 000,164,352 | ---- | C] () -- C:\Windows\System32\SpoonUninstall.exe
[2010/05/15 07:40:37 | 000,114,818 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-Flash4D Version 2-4.bmp
[2010/05/15 07:40:37 | 000,011,697 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-Flash4D Version 2-4.dat
[2010/05/15 07:40:32 | 000,001,177 | ---- | C] () -- C:\Users\XxX\Desktop\Flash4D - Flash Intro Builder.lnk
[2010/05/13 05:09:44 | 000,010,989 | ---- | C] () -- C:\Users\XxX\Desktop\New Microsoft Office Word Document (2).docx
[2010/04/28 14:53:09 | 000,001,720 | ---- | C] () -- C:\Windows\System32\BATTLEP.ini
[2010/04/27 23:06:25 | 000,200,704 | ---- | C] () -- C:\Windows\System32\BattleP.dll
[2010/04/24 20:44:07 | 000,000,165 | ---- | C] () -- C:\Windows\Lexstat.ini
[2010/04/24 20:42:27 | 000,413,696 | ---- | C] () -- C:\Windows\System32\lxczutil.dll
[2010/04/24 20:42:27 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXCZinst.dll
[2010/04/23 14:44:58 | 000,196,608 | ---- | C] () -- C:\Windows\System32\lp.dll
[2010/04/23 12:48:04 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/04/18 05:42:53 | 000,327,168 | ---- | C] () -- C:\Windows\System32\cutil32.dll
[2010/04/12 08:09:04 | 000,138,592 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/04/12 08:08:47 | 000,000,319 | ---- | C] () -- C:\Windows\game.ini
[2010/04/11 16:46:39 | 000,163,840 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2010/04/11 16:46:38 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010/04/11 16:46:38 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010/04/11 16:46:37 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2010/04/11 16:46:36 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/04/11 16:46:36 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/07/14 02:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 02:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/04/27 10:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2007/02/07 18:58:12 | 000,039,899 | ---- | C] () -- C:\Windows\System32\rtsicis.ini
[2007/01/22 09:49:34 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxczcoin.dll
[2006/06/07 14:23:04 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxczcnv7.dll
[2006/03/27 12:19:14 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxczvs.dll
[2006/03/07 12:59:04 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxczcnv6.dll
[2006/01/10 18:11:06 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxczcnv5.dll
[2006/01/10 18:11:06 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxczcnv4.dll
[2005/05/11 19:54:04 | 000,077,824 | ---- | C] () -- C:\Windows\System32\slmdmco.dll
[2005/05/11 19:50:26 | 000,192,512 | ---- | C] () -- C:\Windows\System32\slmdmgx.dll
[2005/05/11 19:49:58 | 000,221,184 | ---- | C] () -- C:\Windows\System32\slmdmsp.dll
[2001/12/18 11:10:40 | 000,000,600 | ---- | C] () -- C:\Windows\wafi2000.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 436 bytes -> C:\Users\XxX\Documents\Site1.wpp:SummaryInformation
@Alternate Data Stream - 412 bytes -> C:\Users\XxX\Documents\alsakher.wpp:SummaryInformation
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:0749CBBA
< End of report >


OTL Extras logfile created on: 11/06/2010 06:27:56 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Users\XxX\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
8.00 Gb Paging File | 7.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): c:\pagefile.sys 0 0d:\pagefile.sys 4000 18000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.39 Gb Total Space | 96.62 Gb Free Space | 66.00% Space Free | Partition Type: NTFS
Drive D: | 785.03 Gb Total Space | 359.55 Gb Free Space | 45.80% Space Free | Partition Type: NTFS
Drive E: | 39.06 Gb Total Space | 18.41 Gb Free Space | 47.13% Space Free | Partition Type: NTFS
Drive F: | 58.59 Gb Total Space | 17.86 Gb Free Space | 30.48% Space Free | Partition Type: NTFS
Drive G: | 51.39 Gb Total Space | 1.65 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive H: | 7.81 Mb Total Space | 0.07 Mb Free Space | 0.85% Space Free | Partition Type: NTFS
Drive I: | 5.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: HASSANPC
Current User Name: XxX
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{02418C87-F90C-4E47-8BA6-16226B35D9C3}" = Serif MoviePlus X3
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05BC428A-F2A5-4E11-8130-10C3237FD67B}" = Serif WebPlus X2 Resources
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{283FFB23-8751-4B08-ACB8-5E0F8BCF7727}" = Pro Evolution Soccer 2010
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3D6CE6CE-E1C1-47C9-A734-78C53EBA5255}" = Xara Web Designer 6
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}" = Adobe Setup
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7E6FA2FF-CC41-4145-9C06-19C1F78DF855}" = Microsoft Maren
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8829E394-87E1-41C0-BCED-9B47F7C6DCDD}" = Serif WebPlus X2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"{93D207F3-905B-4AAC-8A56-FBF67766B240}" = Serif PagePlus 10.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96CFF0DB-C3C3-44B8-930C-1121EC68A3BF}" = Serif WebPlus X4 Resources
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ADA45A0-8043-470A-8E8B-02EA7D95F896}" = Serif WebPlus X4
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A6806D86-BFF3-49CD-8E2B-87BB3507E53F}" = Web Easy Professional 8
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{BB64E0B7-A10E-4720-AD15-924A84165EA3}" = Serif PagePlus 10.0 Resource CD-ROM
"{BBF0A67B-5DBA-452F-9D2E-6F168BC226E4}" = Need for Speed™ SHIFT
"{BFB7485D-A200-33CA-A2E1-E1600CA76484}" = Google Talk Plugin
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5A31DDC-157A-4DD7-9B5C-C692A06F61FD}" = Prison Break
"{C8A47C0C-B2FF-4EB1-8180-2C39996AD22D}" = Web Studio 5.0
"{CF190C24-B924-4CF8-9A88-4BD75328E512}" = Web Easy Professional
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.3.26 Game
"{D3490D20-3AE0-459D-AAD6-59195140EAC2}_is1" = Sothink SWF Quicker
"{D37FE0E3-B1A9-4E41-AB5D-DA62E04D2C42}" = Alpha Protocol
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D85A387E-6EC0-40E5-9D89-A148B3E93968}_is1" = Mass Effect 2
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}" = NVIDIA PhysX
"{E17EF5E4-5B2E-4E1D-AF84-707D9A91A383}" = Serif WebPlus X2 Template Pack: Business & Commerce
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3880573-B551-4549-B67E-8AC09AC919B6}" = Trendyflash Site Builder
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FD38FCBF-28FF-4ABD-9003-101178B7D9AE}" = Web Designer 6 Content
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"a4deskpro_webunion_is1" = A4DeskPro v4.09
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_a04a925a57548091300ada368235fc6" = Adobe Illustrator CS3
"Advanced Task Scheduler Basic" = Advanced Task Scheduler Basic (Repair or Remove)
"Aleo Flash Intro Banner Maker_is1" = Aleo Flash Intro Banner Maker 3.0
"Aleo Flash Slideshow Gallery Maker_is1" = Aleo Flash Slideshow Gallery Maker 1.6
"Artisteer 2" = Artisteer 2
"avast5" = avast! Free Antivirus
"BattlePing" = BattlePing
"BitComet" = BitComet 1.18
"CoffeeCup Web Form Builder - Registered" = CoffeeCup Web Form Builder - Registered
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Counter-Strike 1.6" = Counter-Strike 1.6
"CSI - Deadly Intent" = CSI - Deadly Intent
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.3.2.1
"Flash Effect Maker Update trial to full_is1" = Flash Effect Maker Pro 5.0 (578 Templates/Unicode UTF8/3D Text/
"Flash Website Design_is1" = Flash Website Design Trial 2.0(563 Templates/Unicode UTF8)
"Flash4D Bonus Intro" = Flash4D Bonus Intro
"Flash4D Version 2-4" = Flash4D Version 2-4
"FreeTunel2 2.0" = FreeTunel2 2.0
"Garena" = Garena 2010
"ImgBurn" = ImgBurn
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.3.0
"kSolo" = kSolo Recorder
"LameACM" = LameACM
"Lexmark 1200 Series" = Lexmark 1200 Series
"MAGIX_MSI_Xara_Web_Designer_6" = Xara Web Designer 6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"Mumble" = Mumble and Murmur
"MyLogoMaker_is1" = MyLogoMaker 2.0
"Nero8Lite_is1" = Nero 8 Lite 8.1.1.4
"NodEnabler" = NodEnabler 3.2.4
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"PC Wizard 2010_is1" = PC Wizard 2010.1.93
"PunkBusterSvc" = PunkBuster Services
"RAR Password Cracker" = RAR Password Cracker (remove only)
"RAR Password Recovery Magic_is1" = RAR Password Recovery Magic v6.1.1.257
"RealPlayer 6.0" = RealPlayer
"ST6UNST #1" = Golden Al-Wafi Translator
"Steam App 12840" = DiRT 2
"SWiSH Max3" = SWiSH Max3
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"The Logo Creator v5" = The Logo Creator v5
"Veetle TV" = Veetle TV 0.9.17
"VentriloMix1.2" = VentriloMix
"VLC media player" = VLC media player 1.0.5
"Web Page Maker_is1" = Web Page Maker V3.0
"Web Studio 5.0" = Web Studio 5.0
"Winamp" = Winamp
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger
"ZZEE PHP GUI_is1" = ZZEE PHP GUI 3.1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1017075052-1213670596-3501502907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-11 19:06:59
Windows 6.1.7600
Running: y2jck4x1.exe; Driver: C:\Users\XxX\AppData\Local\Temp\uxlcipoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C373F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C371DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C376F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C381A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x89215AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x892158EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x89215A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C97579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBBF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82DF5279 7 Bytes JMP 89215A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E5CF59 5 Bytes JMP 89211536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82E76C5F 5 Bytes JMP 89212F28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 82E84CE3 7 Bytes JMP 892158EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82F2EE52 7 Bytes JMP 89215ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\Drivers\seufxm.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA1739300, 0x3B6D8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA177C300, 0x1BEE, 0xE8000020]
.text peauth.sys A3C0CC9D 28 Bytes JMP C94CFE34
.text peauth.sys A3C0CCC1 28 Bytes JMP C94CFE58

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!NtProtectVirtualMemory 771E5360 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!NtWriteVirtualMemory 771E5EE0 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!KiUserExceptionDispatcher 771E6448 5 Bytes JMP 0013000A
.text C:\Windows\system32\svchost.exe[1076] ole32.dll!CoCreateInstance 769A57FC 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!GetCursorPos 755FC198 5 Bytes JMP 00A5000A
.text C:\Windows\Explorer.EXE[1608] ntdll.dll!NtProtectVirtualMemory 771E5360 5 Bytes JMP 0038000A
.text C:\Windows\Explorer.EXE[1608] ntdll.dll!NtWriteVirtualMemory 771E5EE0 5 Bytes JMP 0039000A
.text C:\Windows\Explorer.EXE[1608] ntdll.dll!KiUserExceptionDispatcher 771E6448 5 Bytes JMP 0037000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8631C810
Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86565D01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\seufxm@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\seufxm@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\seufxm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\seufxm@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB1 0x59 0xD3 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2B 0xF5 0x99 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x3D 0xE7 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x7A 0xBE 0xE7 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x34 0xB7 0x84 0xD8 ...
Reg HKLM\SYSTEM\ControlSet002\services\seufxm@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\seufxm@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\seufxm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\seufxm@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB1 0x59 0xD3 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2B 0xF5 0x99 0x7A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x3D 0xE7 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x7A 0xBE 0xE7 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x34 0xB7 0x84 0xD8 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1127
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Downloads\A4DeskPro Flash Website Builder 4.09{H33T}[HartFM\xae]\A4DeskPro_Flash_Website_Builder_4.09\A4DeskPro_Flash_Website_Builder_4.09\a4deskpro_setup.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 11 June 2010 - 11:29 AM

Hello again, thats a lot of malware showing up (both in your earlier topic and this one). First of all, however, consider the following information.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 11 June 2010 - 05:36 PM

I honestly hope i'll be able to remove the infections without a format and a reinstall of the OS.

And again, I can't thank you enough for your help.


Here is the combo fix log:

ComboFix 10-06-10.06 - XxX 12/06/2010 1:06.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1256.962.1033.18.2048.1203 [GMT 3:00]
Running from: c:\users\XxX\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 21:51 . 2010-06-11 21:57 -------- d-----w- C:\32788R22FWJFW
2010-06-08 16:56 . 2010-06-08 16:56 53248 ----a-w- c:\windows\system32\FastUv32.dll
2010-06-08 16:56 . 2010-06-08 16:56 2304 ----a-w- c:\windows\system32\mipsinf.sys
2010-06-08 12:15 . 2010-06-08 12:15 -------- d-----w- c:\program files\kSolo
2010-06-08 12:01 . 2009-11-20 13:26 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-06-07 22:18 . 2010-06-07 22:18 -------- d-----w- c:\program files\VAMPIX WAPLINK
2010-06-02 08:26 . 2010-06-02 08:26 -------- d-----w- c:\users\XxX\AppData\Roaming\MyLogoMaker
2010-06-02 08:21 . 2010-06-02 08:21 -------- d-----w- c:\program files\MySoftware
2010-06-02 08:13 . 2004-03-29 13:23 90112 ----a-w- c:\windows\unvise32.exe
2010-06-02 08:11 . 2010-06-02 08:13 -------- d-----w- c:\program files\The Logo Creator v5
2010-06-02 07:11 . 2010-06-02 07:11 -------- d-----w- c:\users\XxX\AppData\Roaming\Artisteer
2010-06-02 07:09 . 2010-06-02 07:09 -------- d-----w- c:\program files\Artisteer 2
2010-06-01 15:41 . 2010-06-01 15:41 -------- d--h--r- c:\users\XxX\AppData\Roaming\SecuROM
2010-06-01 14:41 . 2010-06-01 14:41 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-06-01 08:25 . 2010-02-04 07:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-06-01 08:25 . 2010-02-04 07:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-06-01 08:25 . 2010-02-04 07:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-06-01 08:25 . 2010-02-04 07:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-01 08:21 . 2010-06-01 08:21 -------- d-----w- c:\program files\Common Files\BioWare
2010-06-01 08:03 . 2010-06-01 08:03 -------- d-----w- c:\users\XxX\AppData\Roaming\Malwarebytes
2010-06-01 08:02 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 08:02 . 2010-06-01 08:02 -------- d-----w- c:\programdata\Malwarebytes
2010-06-01 08:02 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 08:02 . 2010-06-01 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 02:46 . 2010-05-31 02:46 -------- d-----w- c:\users\XxX\AppData\Local\THQ
2010-05-29 01:10 . 2010-05-29 01:10 -------- d-----w- c:\programdata\SEGA Corporation
2010-05-27 11:34 . 2010-05-27 11:34 -------- d-----w- c:\program files\Ubisoft
2010-05-25 14:59 . 2010-05-25 14:59 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-25 14:59 . 2010-05-25 14:59 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-25 14:59 . 2010-05-25 14:59 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2010-05-25 14:57 . 2010-05-25 15:03 -------- d-----w- c:\users\XxX\AppData\Roaming\Prison Break
2010-05-24 17:19 . 2010-06-04 00:27 -------- d-----w- c:\users\XxX\AppData\Roaming\FileZilla
2010-05-24 17:18 . 2010-05-24 17:18 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-24 16:30 . 2010-05-24 16:30 1443252 ----a-w- C:\Pligg CMS 1.0.4.zip
2010-05-22 11:23 . 2010-05-22 11:28 -------- d-----w- c:\users\XxX\AppData\Roaming\ImgBurn
2010-05-22 10:50 . 2010-05-22 10:50 -------- d-----w- c:\program files\ImgBurn
2010-05-21 20:34 . 2010-05-21 20:34 -------- d-----w- c:\users\XxX\AppData\Local\Serif
2010-05-21 20:33 . 2010-05-21 20:33 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-21 14:25 . 2010-05-21 15:19 -------- dc-h--w- c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}
2010-05-21 14:25 . 2010-02-22 22:47 2916202 -c--a-w- c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe
2010-05-21 14:24 . 2010-05-21 14:24 -------- d-----w- c:\program files\BackToTheBeach
2010-05-21 14:24 . 2010-05-21 14:24 -------- d-----w- c:\users\XxX\AppData\Roaming\BackToTheBeach
2010-05-20 08:00 . 2010-05-20 08:00 -------- d-----w- c:\program files\CoffeeCup Software
2010-05-20 02:14 . 2010-05-20 02:14 -------- d-----w- c:\users\XxX\AppData\Local\Mozilla
2010-05-20 01:35 . 2010-05-20 01:35 -------- d-----w- c:\program files\Common Files\SourceTec
2010-05-20 01:35 . 2009-06-04 12:28 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-05-20 01:34 . 2010-05-20 01:34 -------- d-----w- c:\program files\SourceTec
2010-05-19 18:49 . 2010-05-19 19:00 -------- d-----w- c:\users\XxX\AppData\Roaming\SWiSH Max3
2010-05-19 18:48 . 2010-05-19 18:48 -------- d-----w- c:\program files\LameACM
2010-05-19 18:48 . 2010-05-19 18:48 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
2010-05-19 18:48 . 2010-05-19 18:49 -------- d-----w- c:\program files\SWiSH Max3
2010-05-19 18:03 . 2010-05-19 18:04 -------- d-----w- c:\program files\Show.kit 2.1
2010-05-19 18:02 . 2010-05-19 18:02 -------- d-----w- c:\users\XxX\AppData\Roaming\Thinstall
2010-05-19 18:02 . 2010-05-19 18:02 -------- d-----w- c:\users\XxX\AppData\Local\Thinstall
2010-05-19 17:35 . 2010-05-19 17:35 -------- d-----w- c:\program files\A4DeskPro
2010-05-19 16:45 . 2010-05-19 17:35 -------- d-----w- c:\users\XxX\AppData\Roaming\A4DeskPro
2010-05-19 03:22 . 2010-05-19 03:22 -------- d-----w- c:\programdata\ALM
2010-05-19 03:21 . 2010-05-19 03:21 -------- d-----w- c:\program files\Bonjour
2010-05-19 03:06 . 2010-05-19 03:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-05-19 02:14 . 2010-05-19 02:15 -------- d-----w- c:\program files\Flash Website Design
2010-05-19 02:02 . 2010-05-19 02:02 -------- d-----w- c:\programdata\MAGIX
2010-05-19 02:00 . 2010-05-19 02:02 -------- d-----w- c:\users\XxX\AppData\Roaming\MAGIX
2010-05-19 02:00 . 2010-05-19 02:00 -------- d-----w- c:\users\XxX\AppData\Local\Xara
2010-05-19 01:59 . 2010-05-19 01:59 -------- d-----w- c:\programdata\Xara
2010-05-19 01:59 . 2010-05-19 01:59 -------- d-----w- c:\program files\Xara
2010-05-18 03:30 . 2010-05-18 03:30 -------- d-----w- c:\users\XxX\AppData\Roaming\Avanquest
2010-05-18 01:57 . 2010-05-18 03:31 -------- d-----w- c:\programdata\Avanquest
2010-05-18 01:57 . 2010-05-18 01:57 -------- d-----w- c:\programdata\BVRP Software
2010-05-18 01:49 . 2010-05-18 01:49 -------- d-----w- c:\program files\Avanquest
2010-05-18 01:45 . 2010-05-18 01:45 -------- d-----w- c:\users\XxX\AppData\Roaming\InstallShield
2010-05-17 14:40 . 2010-05-17 14:40 -------- d-----w- c:\programdata\FLEXnet
2010-05-17 13:17 . 2010-05-17 13:17 10134 ----a-r- c:\users\XxX\AppData\Roaming\Microsoft\Installer\{BB64E0B7-A10E-4720-AD15-924A84165EA3}\ARPPRODUCTICON.exe
2010-05-15 23:14 . 2010-05-20 02:09 -------- d-----w- c:\users\XxX\AppData\Roaming\Aleo Software
2010-05-15 23:13 . 2010-05-20 02:09 -------- d-----w- c:\program files\Aleo Software
2010-05-15 06:18 . 2010-05-15 06:18 -------- d-----w- c:\program files\Flash Effect Maker
2010-05-15 04:40 . 2010-05-15 04:40 423 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Bonus Intro.dat
2010-05-15 04:40 . 2010-05-19 18:12 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-05-15 04:40 . 2010-05-19 18:12 11697 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Version 2-4.dat
2010-05-15 04:40 . 2010-05-15 04:40 -------- d-----w- c:\program files\Intro Wizard Software
2010-05-15 02:10 . 2009-11-01 10:11 17686528 ----a-w- c:\windows\system32\mkl_blueripple.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 21:59 . 2010-04-12 04:59 -------- d-----w- c:\users\XxX\AppData\Roaming\BitComet
2010-06-11 16:02 . 2010-04-12 15:21 -------- d-----w- c:\users\XxX\AppData\Roaming\vlc
2010-06-11 14:03 . 2010-04-12 05:09 138592 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-11 14:03 . 2010-04-12 05:08 219128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-05 06:52 . 2010-04-11 13:52 187400 ----a-w- c:\users\XxX\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-01 18:29 . 2010-04-23 11:26 -------- d-----w- c:\users\XxX\AppData\Roaming\Skype
2010-06-01 18:08 . 2010-04-23 11:27 -------- d-----w- c:\users\XxX\AppData\Roaming\skypePM
2010-06-01 14:41 . 2010-04-12 05:09 138056 ----a-w- c:\users\XxX\AppData\Roaming\PnkBstrK.sys
2010-06-01 14:41 . 2010-04-12 05:09 138056 ----a-w- c:\users\XxX\AppData\Roaming\PnkBstrK.sys
2010-06-01 08:26 . 2010-04-23 09:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-01 08:26 . 2010-04-20 06:43 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-01 08:25 . 2010-04-12 06:40 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-29 00:42 . 2010-04-11 13:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-25 17:06 . 2010-05-25 17:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-22 05:21 . 2010-05-03 01:06 -------- d-----w- c:\program files\Garena
2010-05-21 20:34 . 2010-04-30 05:11 -------- d-----w- c:\users\XxX\AppData\Roaming\Serif
2010-05-21 20:31 . 2010-04-30 05:09 -------- d-----w- c:\program files\Serif
2010-05-19 17:21 . 2010-04-26 11:00 -------- d-----w- c:\program files\Common Files\Steam
2010-05-19 03:20 . 2010-04-11 13:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 13:02 . 2010-04-11 13:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-15 02:11 . 2010-04-26 10:45 -------- d-----w- c:\programdata\Codemasters
2010-05-15 02:10 . 2010-04-26 10:42 -------- d-----w- c:\program files\BRS
2010-05-15 02:09 . 2010-04-26 10:41 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-15 02:09 . 2010-04-26 10:41 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 08:21 . 2010-04-11 16:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 01:52 . 2010-05-11 01:52 -------- d-----w- c:\program files\TrendyFlash Site Builder
2010-05-10 23:10 . 2010-05-10 23:10 -------- d-----w- c:\programdata\Alwil Software
2010-05-10 23:10 . 2010-05-10 23:10 -------- d-----w- c:\program files\Alwil Software
2010-05-08 03:14 . 2010-04-11 17:26 -------- d-----w- c:\program files\ESET
2010-05-07 09:55 . 2010-05-07 09:55 255472 ----a-w- c:\users\XxX\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-06 20:59 . 2010-05-10 23:10 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2010-05-10 23:10 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-05-10 23:11 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-05-10 23:11 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-05-10 23:11 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:34 . 2010-05-10 23:11 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-06 20:33 . 2010-05-10 23:11 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 01:25 . 2010-05-04 01:25 10134 ----a-r- c:\users\XxX\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-05-04 01:25 . 2010-05-04 01:25 -------- d-----w- c:\program files\Microsoft WSE
2010-05-03 14:34 . 2010-05-03 14:34 -------- d-----w- c:\program files\RAR Password Recovery Magic
2010-05-03 14:25 . 2010-05-03 14:25 -------- d-----w- c:\program files\RAR Password Cracker
2010-05-02 02:51 . 2010-04-11 13:31 -------- d-----w- c:\programdata\Microsoft Help
2010-05-01 20:49 . 2010-04-23 09:24 -------- d-----w- c:\users\XxX\AppData\Roaming\Ventrilo
2010-04-30 05:22 . 2010-04-30 05:22 -------- d-----w- c:\program files\MSXML 4.0
2010-04-29 16:41 . 2010-04-29 16:41 313168 ----a-w- c:\windows\system32\WPPFilt.dll
2010-04-27 20:06 . 2010-04-27 20:06 -------- d-----w- c:\program files\BattlePing
2010-04-26 10:50 . 2010-04-26 10:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-26 10:42 . 2010-04-26 10:41 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-26 10:41 . 2010-04-26 10:41 -------- d-----w- c:\program files\OpenAL
2010-04-24 23:38 . 2010-04-24 23:38 -------- d-----w- c:\program files\Advanced Task Scheduler Basic
2010-04-24 23:18 . 2010-04-24 23:18 -------- d-----w- c:\programdata\Z-Manufaktur
2010-04-24 17:44 . 2010-04-24 17:42 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-04-23 17:45 . 2010-04-23 17:44 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-04-23 17:34 . 2010-04-23 17:33 -------- d-----w- c:\program files\Mumble
2010-04-23 17:32 . 2010-04-23 17:32 -------- d-----w- c:\program files\VentriloMix
2010-04-23 11:27 . 2010-04-23 11:27 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-23 11:26 . 2010-04-23 11:26 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 11:26 . 2010-04-23 11:26 -------- d-----r- c:\program files\Skype
2010-04-23 11:26 . 2010-04-23 11:25 -------- d-----w- c:\programdata\Skype
2010-04-23 09:48 . 2010-04-23 09:48 -------- d-----w- c:\program files\Ventrilo
2010-04-22 13:48 . 2010-04-22 13:48 -------- d-----w- c:\program files\ZZEE
2010-04-21 18:39 . 2010-04-21 18:39 -------- d-----w- c:\programdata\Hewlett-Packard
2010-04-20 18:47 . 2010-04-20 18:45 -------- d-----w- c:\program files\Veetle
2010-04-20 06:41 . 2010-04-15 02:32 -------- d-----w- c:\users\XxX\AppData\Roaming\DAEMON Tools Lite
2010-04-18 02:55 . 2010-04-12 04:36 -------- d--h--w- c:\program files\Temp
2010-04-18 02:42 . 2010-04-18 02:42 -------- d-----w- c:\program files\CPUID
2010-04-17 08:36 . 2010-04-17 07:15 -------- d-----w- c:\users\XxX\AppData\Roaming\Web Page Maker
2010-04-17 07:15 . 2010-04-17 07:15 -------- d-----w- c:\program files\Web Page Maker
2010-04-15 02:34 . 2010-04-15 02:34 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-04-15 02:34 . 2010-04-15 02:32 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-15 02:32 . 2010-04-15 02:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-15 02:32 . 2010-04-15 02:32 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-04-13 01:09 . 2010-04-13 01:09 -------- d-----w- c:\users\XxX\AppData\Roaming\Media Player Classic
2010-04-12 07:36 . 2010-04-12 05:08 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-11 13:54 . 2010-04-11 13:54 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-11 13:54 . 2010-04-11 13:54 172032 ------w- c:\windows\Setup1.exe
2010-04-11 13:49 . 2010-04-11 13:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-11 13:49 . 2010-04-11 13:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-28 14:00 . 2010-04-23 11:44 196608 ----a-w- c:\windows\system32\lp.dll
2010-03-22 11:22 . 2010-04-12 04:36 1247776 ----a-w- c:\windows\RtlExUpd.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2009-07-14 01:14 . FCE8BF502433C24B5C23B7F75992A621 . 47104 . . [------] . . c:\windows\System32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Advanced Task Scheduler Basic"="c:\program files\Advanced Task Scheduler Basic\advscheduler_bscadm.exe" [2010-04-02 2326528]
"Steam"="d:\program files\Steam\Steam.exe" [2010-05-07 1238352]
"Web Studio 5.0 Update Setup"="c:\users\XxX\AppData\Local\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe" [BU]
"Web Studio 5.0 Update Setup for All Users"="c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe" [2010-02-22 2916202]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-11 185896]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-19 8452640]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2009-04-27 74408]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\XxX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-4-23 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 08:09 49152 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-08-18 15:27 5137648 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

R3 GarenaPEngine;GarenaPEngine;c:\users\XxX\AppData\Local\Temp\XVY95CC.tmp [x]
R3 mipsinf;mipsinf;c:\windows\system32\mipsinf.sys [2010-06-08 2304]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-15 691696]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S3 BATTLEP;BATTLEP;c:\program files\BattlePing\BattleP.exe [2009-12-24 1568768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*Deregistered* - seufxm

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7E6FA2FF-CC41-4145-9C06-19C1F78DF855}]
2009-06-23 11:35 16624 ----a-w- c:\program files\Microsoft\Microsoft Maren\Bin\reg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{970EA2E9-E7B8-45E1-9CB5-0DEB37C2C28D}]
2009-06-25 20:50 422672 ----a-w- c:\program files\Microsoft\Microsoft Maren\Bin\TextService.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000Core.job
- c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 17:12]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000UA.job
- c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 17:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://shop.thefreevpn.com/home.php
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
LSP: c:\windows\system32\BattleP.dll
FF - ProfilePath - c:\users\XxX\AppData\Roaming\Mozilla\Firefox\Profiles\bh5grulr.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\XxX\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\XxX\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x864A2D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x852bd398
QueryNameProcedure -> 0x852bd528
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\XxX\AppData\Local\Temp\XVY95CC.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\seufxm]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1017075052-1213670596-3501502907-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:ad,f3,36,c0,2b,1c,ef,4c,7f,32,db,35,dd,99,4e,19,34,b3,94,bb,71,
5b,48,06,0c,fe,6f,ba,76,af,b9,f8,93,01,3e,1c,a8,fc,ab,c3,dc,ea,bb,f4,d7,13,\
"rkeysecu"=hex:44,c8,b9,9f,32,57,3b,cb,d1,4b,2e,c3,b7,6d,88,b1

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-12 01:20:13
ComboFix-quarantined-files.txt 2010-06-11 22:20
ComboFix2.txt 2010-05-31 14:50

Pre-Run: 103,545,217,024 bytes free
Post-Run: 103,764,398,080 bytes free

- - End Of File - - 03325EE90FF235EB71D431BC4D7BC489


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 12 June 2010 - 01:56 AM

Hello again,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
TDL::
C:\Windows\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 12 June 2010 - 06:50 AM

Done,

ComboFix 10-06-11.01 - XxX 12/06/2010 14:31:52.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1256.962.1033.18.2048.1175 [GMT 3:00]
Running from: c:\users\XxX\Downloads\ComboFix.exe
Command switches used :: c:\users\XxX\Desktop\CFScript.txt.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-12 11:41 . 2010-06-12 11:43 -------- d-----w- c:\users\XxX\AppData\Local\temp
2010-06-12 11:41 . 2010-06-12 11:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-12 11:41 . 2010-06-12 11:41 -------- d-----w- c:\users\Desktop\AppData\Local\temp
2010-06-12 11:41 . 2010-06-12 11:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-12 11:24 . 2010-06-12 11:24 -------- d-----w- C:\Device
2010-06-12 11:15 . 2010-06-12 11:16 -------- d-----w- C:\32788R22FWJFW
2010-06-12 01:38 . 2010-06-12 01:38 -------- d-----w- c:\users\XxX\AppData\Local\storage
2010-06-12 01:38 . 2010-06-12 01:38 -------- d-----w- c:\programdata\Ubisoft
2010-06-12 01:17 . 2010-06-02 01:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-12 01:17 . 2010-06-02 01:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-12 01:17 . 2010-06-02 01:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-12 01:17 . 2010-05-26 08:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-06-12 01:17 . 2010-05-26 08:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-06-12 01:17 . 2010-05-26 08:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-06-12 01:17 . 2010-05-26 08:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-06-12 01:17 . 2010-05-26 08:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-06-08 16:56 . 2010-06-08 16:56 53248 ----a-w- c:\windows\system32\FastUv32.dll
2010-06-08 16:56 . 2010-06-08 16:56 2304 ----a-w- c:\windows\system32\mipsinf.sys
2010-06-08 12:15 . 2010-06-08 12:15 -------- d-----w- c:\program files\kSolo
2010-06-08 12:01 . 2009-11-20 13:26 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-06-07 22:18 . 2010-06-07 22:18 -------- d-----w- c:\program files\VAMPIX WAPLINK
2010-06-02 08:26 . 2010-06-02 08:26 -------- d-----w- c:\users\XxX\AppData\Roaming\MyLogoMaker
2010-06-02 08:21 . 2010-06-02 08:21 -------- d-----w- c:\program files\MySoftware
2010-06-02 08:13 . 2004-03-29 13:23 90112 ----a-w- c:\windows\unvise32.exe
2010-06-02 08:11 . 2010-06-02 08:13 -------- d-----w- c:\program files\The Logo Creator v5
2010-06-02 07:11 . 2010-06-02 07:11 -------- d-----w- c:\users\XxX\AppData\Roaming\Artisteer
2010-06-02 07:09 . 2010-06-02 07:09 -------- d-----w- c:\program files\Artisteer 2
2010-06-01 15:41 . 2010-06-01 15:41 -------- d--h--r- c:\users\XxX\AppData\Roaming\SecuROM
2010-06-01 14:41 . 2010-06-01 14:41 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-06-01 08:25 . 2010-02-04 07:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-06-01 08:25 . 2010-02-04 07:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-06-01 08:25 . 2010-02-04 07:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-06-01 08:25 . 2010-02-04 07:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-01 08:21 . 2010-06-01 08:21 -------- d-----w- c:\program files\Common Files\BioWare
2010-06-01 08:03 . 2010-06-01 08:03 -------- d-----w- c:\users\XxX\AppData\Roaming\Malwarebytes
2010-06-01 08:02 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-01 08:02 . 2010-06-01 08:02 -------- d-----w- c:\programdata\Malwarebytes
2010-06-01 08:02 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-01 08:02 . 2010-06-01 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 02:46 . 2010-05-31 02:46 -------- d-----w- c:\users\XxX\AppData\Local\THQ
2010-05-29 01:10 . 2010-05-29 01:10 -------- d-----w- c:\programdata\SEGA Corporation
2010-05-27 11:34 . 2010-05-27 11:34 -------- d-----w- c:\program files\Ubisoft
2010-05-25 14:59 . 2010-05-25 14:59 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-25 14:59 . 2010-05-25 14:59 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-25 14:59 . 2010-05-25 14:59 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2010-05-25 14:57 . 2010-05-25 15:03 -------- d-----w- c:\users\XxX\AppData\Roaming\Prison Break
2010-05-24 17:19 . 2010-06-04 00:27 -------- d-----w- c:\users\XxX\AppData\Roaming\FileZilla
2010-05-24 17:18 . 2010-05-24 17:18 -------- d-----w- c:\program files\FileZilla FTP Client
2010-05-24 16:30 . 2010-05-24 16:30 1443252 ----a-w- C:\Pligg CMS 1.0.4.zip
2010-05-22 11:23 . 2010-05-22 11:28 -------- d-----w- c:\users\XxX\AppData\Roaming\ImgBurn
2010-05-22 10:50 . 2010-05-22 10:50 -------- d-----w- c:\program files\ImgBurn
2010-05-21 20:34 . 2010-05-21 20:34 -------- d-----w- c:\users\XxX\AppData\Local\Serif
2010-05-21 20:33 . 2010-05-21 20:33 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-21 14:25 . 2010-05-21 15:19 -------- dc-h--w- c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}
2010-05-21 14:25 . 2010-02-22 22:47 2916202 -c--a-w- c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe
2010-05-21 14:24 . 2010-05-21 14:24 -------- d-----w- c:\program files\BackToTheBeach
2010-05-21 14:24 . 2010-05-21 14:24 -------- d-----w- c:\users\XxX\AppData\Roaming\BackToTheBeach
2010-05-20 08:00 . 2010-05-20 08:00 -------- d-----w- c:\program files\CoffeeCup Software
2010-05-20 02:14 . 2010-05-20 02:14 -------- d-----w- c:\users\XxX\AppData\Local\Mozilla
2010-05-20 01:35 . 2010-05-20 01:35 -------- d-----w- c:\program files\Common Files\SourceTec
2010-05-20 01:35 . 2009-06-04 12:28 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-05-20 01:34 . 2010-05-20 01:34 -------- d-----w- c:\program files\SourceTec
2010-05-19 18:49 . 2010-05-19 19:00 -------- d-----w- c:\users\XxX\AppData\Roaming\SWiSH Max3
2010-05-19 18:48 . 2010-05-19 18:48 -------- d-----w- c:\program files\LameACM
2010-05-19 18:48 . 2010-05-19 18:48 -------- d-----w- c:\program files\Common Files\SWiSHzone.com
2010-05-19 18:48 . 2010-05-19 18:49 -------- d-----w- c:\program files\SWiSH Max3
2010-05-19 18:03 . 2010-05-19 18:04 -------- d-----w- c:\program files\Show.kit 2.1
2010-05-19 18:02 . 2010-05-19 18:02 -------- d-----w- c:\users\XxX\AppData\Roaming\Thinstall
2010-05-19 18:02 . 2010-05-19 18:02 -------- d-----w- c:\users\XxX\AppData\Local\Thinstall
2010-05-19 17:35 . 2010-05-19 17:35 -------- d-----w- c:\program files\A4DeskPro
2010-05-19 16:45 . 2010-05-19 17:35 -------- d-----w- c:\users\XxX\AppData\Roaming\A4DeskPro
2010-05-19 03:22 . 2010-05-19 03:22 -------- d-----w- c:\programdata\ALM
2010-05-19 03:21 . 2010-05-19 03:21 -------- d-----w- c:\program files\Bonjour
2010-05-19 03:06 . 2010-05-19 03:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-05-19 02:14 . 2010-05-19 02:15 -------- d-----w- c:\program files\Flash Website Design
2010-05-19 02:02 . 2010-05-19 02:02 -------- d-----w- c:\programdata\MAGIX
2010-05-19 02:00 . 2010-05-19 02:02 -------- d-----w- c:\users\XxX\AppData\Roaming\MAGIX
2010-05-19 02:00 . 2010-05-19 02:00 -------- d-----w- c:\users\XxX\AppData\Local\Xara
2010-05-19 01:59 . 2010-05-19 01:59 -------- d-----w- c:\programdata\Xara
2010-05-19 01:59 . 2010-05-19 01:59 -------- d-----w- c:\program files\Xara
2010-05-18 03:30 . 2010-05-18 03:30 -------- d-----w- c:\users\XxX\AppData\Roaming\Avanquest
2010-05-18 01:57 . 2010-05-18 03:31 -------- d-----w- c:\programdata\Avanquest
2010-05-18 01:57 . 2010-05-18 01:57 -------- d-----w- c:\programdata\BVRP Software
2010-05-18 01:49 . 2010-05-18 01:49 -------- d-----w- c:\program files\Avanquest
2010-05-18 01:45 . 2010-05-18 01:45 -------- d-----w- c:\users\XxX\AppData\Roaming\InstallShield
2010-05-17 14:40 . 2010-05-17 14:40 -------- d-----w- c:\programdata\FLEXnet
2010-05-17 13:17 . 2010-05-17 13:17 10134 ----a-r- c:\users\XxX\AppData\Roaming\Microsoft\Installer\{BB64E0B7-A10E-4720-AD15-924A84165EA3}\ARPPRODUCTICON.exe
2010-05-15 23:14 . 2010-05-20 02:09 -------- d-----w- c:\users\XxX\AppData\Roaming\Aleo Software
2010-05-15 23:13 . 2010-05-20 02:09 -------- d-----w- c:\program files\Aleo Software
2010-05-15 06:18 . 2010-05-15 06:18 -------- d-----w- c:\program files\Flash Effect Maker
2010-05-15 04:40 . 2010-05-15 04:40 423 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Bonus Intro.dat
2010-05-15 04:40 . 2010-05-19 18:12 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-05-15 04:40 . 2010-05-19 18:12 11697 ----a-w- c:\windows\system32\SpoonUninstall-Flash4D Version 2-4.dat
2010-05-15 04:40 . 2010-05-15 04:40 -------- d-----w- c:\program files\Intro Wizard Software
2010-05-15 02:10 . 2009-11-01 10:11 17686528 ----a-w- c:\windows\system32\mkl_blueripple.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 11:22 . 2010-04-12 04:59 -------- d-----w- c:\users\XxX\AppData\Roaming\BitComet
2010-06-12 01:37 . 2010-04-12 15:21 -------- d-----w- c:\users\XxX\AppData\Roaming\vlc
2010-06-11 22:37 . 2010-04-12 04:59 -------- d-----w- c:\program files\BitComet
2010-06-11 14:03 . 2010-04-12 05:09 138592 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-11 14:03 . 2010-04-12 05:08 219128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-05 06:52 . 2010-04-11 13:52 187400 ----a-w- c:\users\XxX\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-01 18:29 . 2010-04-23 11:26 -------- d-----w- c:\users\XxX\AppData\Roaming\Skype
2010-06-01 18:08 . 2010-04-23 11:27 -------- d-----w- c:\users\XxX\AppData\Roaming\skypePM
2010-06-01 14:41 . 2010-04-12 05:09 138056 ----a-w- c:\users\XxX\AppData\Roaming\PnkBstrK.sys
2010-06-01 14:41 . 2010-04-12 05:09 138056 ----a-w- c:\users\XxX\AppData\Roaming\PnkBstrK.sys
2010-06-01 08:26 . 2010-04-23 09:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-01 08:26 . 2010-04-20 06:43 -------- d-----w- c:\program files\AGEIA Technologies
2010-06-01 08:25 . 2010-04-12 06:40 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-29 00:42 . 2010-04-11 13:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-25 17:06 . 2010-05-25 17:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-22 05:21 . 2010-05-03 01:06 -------- d-----w- c:\program files\Garena
2010-05-21 20:34 . 2010-04-30 05:11 -------- d-----w- c:\users\XxX\AppData\Roaming\Serif
2010-05-21 20:31 . 2010-04-30 05:09 -------- d-----w- c:\program files\Serif
2010-05-19 17:21 . 2010-04-26 11:00 -------- d-----w- c:\program files\Common Files\Steam
2010-05-19 03:20 . 2010-04-11 13:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 13:02 . 2010-04-11 13:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-15 02:11 . 2010-04-26 10:45 -------- d-----w- c:\programdata\Codemasters
2010-05-15 02:10 . 2010-04-26 10:42 -------- d-----w- c:\program files\BRS
2010-05-15 02:09 . 2010-04-26 10:41 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-15 02:09 . 2010-04-26 10:41 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 08:21 . 2010-04-11 16:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 01:52 . 2010-05-11 01:52 -------- d-----w- c:\program files\TrendyFlash Site Builder
2010-05-10 23:10 . 2010-05-10 23:10 -------- d-----w- c:\programdata\Alwil Software
2010-05-10 23:10 . 2010-05-10 23:10 -------- d-----w- c:\program files\Alwil Software
2010-05-08 03:14 . 2010-04-11 17:26 -------- d-----w- c:\program files\ESET
2010-05-07 09:55 . 2010-05-07 09:55 255472 ----a-w- c:\users\XxX\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-06 20:59 . 2010-05-10 23:10 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2010-05-10 23:10 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2010-05-10 23:11 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2010-05-10 23:11 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2010-05-10 23:11 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:34 . 2010-05-10 23:11 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-06 20:33 . 2010-05-10 23:11 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 01:25 . 2010-05-04 01:25 10134 ----a-r- c:\users\XxX\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-05-04 01:25 . 2010-05-04 01:25 -------- d-----w- c:\program files\Microsoft WSE
2010-05-03 14:34 . 2010-05-03 14:34 -------- d-----w- c:\program files\RAR Password Recovery Magic
2010-05-03 14:25 . 2010-05-03 14:25 -------- d-----w- c:\program files\RAR Password Cracker
2010-05-02 02:51 . 2010-04-11 13:31 -------- d-----w- c:\programdata\Microsoft Help
2010-05-01 20:49 . 2010-04-23 09:24 -------- d-----w- c:\users\XxX\AppData\Roaming\Ventrilo
2010-04-30 05:22 . 2010-04-30 05:22 -------- d-----w- c:\program files\MSXML 4.0
2010-04-29 16:41 . 2010-04-29 16:41 313168 ----a-w- c:\windows\system32\WPPFilt.dll
2010-04-27 20:06 . 2010-04-27 20:06 -------- d-----w- c:\program files\BattlePing
2010-04-26 10:50 . 2010-04-26 10:50 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-26 10:42 . 2010-04-26 10:41 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-26 10:41 . 2010-04-26 10:41 -------- d-----w- c:\program files\OpenAL
2010-04-24 23:38 . 2010-04-24 23:38 -------- d-----w- c:\program files\Advanced Task Scheduler Basic
2010-04-24 23:18 . 2010-04-24 23:18 -------- d-----w- c:\programdata\Z-Manufaktur
2010-04-24 17:44 . 2010-04-24 17:42 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-04-23 17:45 . 2010-04-23 17:44 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-04-23 17:34 . 2010-04-23 17:33 -------- d-----w- c:\program files\Mumble
2010-04-23 17:32 . 2010-04-23 17:32 -------- d-----w- c:\program files\VentriloMix
2010-04-23 11:27 . 2010-04-23 11:27 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-23 11:26 . 2010-04-23 11:26 -------- d-----w- c:\program files\Common Files\Skype
2010-04-23 11:26 . 2010-04-23 11:26 -------- d-----r- c:\program files\Skype
2010-04-23 11:26 . 2010-04-23 11:25 -------- d-----w- c:\programdata\Skype
2010-04-23 09:48 . 2010-04-23 09:48 -------- d-----w- c:\program files\Ventrilo
2010-04-22 13:48 . 2010-04-22 13:48 -------- d-----w- c:\program files\ZZEE
2010-04-21 18:39 . 2010-04-21 18:39 -------- d-----w- c:\programdata\Hewlett-Packard
2010-04-20 18:47 . 2010-04-20 18:45 -------- d-----w- c:\program files\Veetle
2010-04-20 06:41 . 2010-04-15 02:32 -------- d-----w- c:\users\XxX\AppData\Roaming\DAEMON Tools Lite
2010-04-18 02:55 . 2010-04-12 04:36 -------- d--h--w- c:\program files\Temp
2010-04-18 02:42 . 2010-04-18 02:42 -------- d-----w- c:\program files\CPUID
2010-04-17 08:36 . 2010-04-17 07:15 -------- d-----w- c:\users\XxX\AppData\Roaming\Web Page Maker
2010-04-17 07:15 . 2010-04-17 07:15 -------- d-----w- c:\program files\Web Page Maker
2010-04-15 02:34 . 2010-04-15 02:34 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-04-15 02:34 . 2010-04-15 02:32 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-15 02:32 . 2010-04-15 02:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-15 02:32 . 2010-04-15 02:32 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-04-12 07:36 . 2010-04-12 05:08 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-11 13:54 . 2010-04-11 13:54 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-11 13:54 . 2010-04-11 13:54 172032 ------w- c:\windows\Setup1.exe
2010-04-11 13:49 . 2010-04-11 13:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-11 13:49 . 2010-04-11 13:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-28 14:00 . 2010-04-23 11:44 196608 ----a-w- c:\windows\system32\lp.dll
2010-03-22 11:22 . 2010-04-12 04:36 1247776 ----a-w- c:\windows\RtlExUpd.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2009-07-14 01:14 . FCE8BF502433C24B5C23B7F75992A621 . 47104 . . [------] . . c:\windows\System32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-04-11 136176]
"Advanced Task Scheduler Basic"="c:\program files\Advanced Task Scheduler Basic\advscheduler_bscadm.exe" [2010-04-02 2326528]
"Steam"="d:\program files\Steam\Steam.exe" [2010-05-07 1238352]
"Web Studio 5.0 Update Setup"="c:\users\XxX\AppData\Local\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe" [BU]
"Web Studio 5.0 Update Setup for All Users"="c:\programdata\{22A05767-4EAB-4AF6-A400-7E5B87BE48E3}\WebStudio5Install.exe" [2010-02-22 2916202]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-11 185896]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-19 8452640]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2009-04-27 74408]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\XxX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-4-23 0]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 08:09 49152 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-08-18 15:27 5137648 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

R3 GarenaPEngine;GarenaPEngine;c:\users\XxX\AppData\Local\Temp\XVY95CC.tmp [x]
R3 mipsinf;mipsinf;c:\windows\system32\mipsinf.sys [2010-06-08 2304]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-15 691696]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S3 BATTLEP;BATTLEP;c:\program files\BattlePing\BattleP.exe [2009-12-24 1568768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]


--- Other Services/Drivers In Memory ---

*Deregistered* - seufxm

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7E6FA2FF-CC41-4145-9C06-19C1F78DF855}]
2009-06-23 11:35 16624 ----a-w- c:\program files\Microsoft\Microsoft Maren\Bin\reg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{970EA2E9-E7B8-45E1-9CB5-0DEB37C2C28D}]
2009-06-25 20:50 422672 ----a-w- c:\program files\Microsoft\Microsoft Maren\Bin\TextService.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000Core.job
- c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 17:12]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1017075052-1213670596-3501502907-1000UA.job
- c:\users\XxX\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-11 17:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://shop.thefreevpn.com/home.php
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
LSP: c:\windows\system32\BattleP.dll
TCP: {45C2144D-92E5-44E3-9670-C31E12C35C8E} = 196.27.0.35 196.27.0.230
TCP: {76D9C06F-8FDA-4DB2-804F-E1EF0893713A} = 81.10.124.2 81.10.124.3
FF - ProfilePath - c:\users\XxX\AppData\Roaming\Mozilla\Firefox\Profiles\bh5grulr.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\kSolo\npAVX.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\XxX\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\XxX\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86509D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x852be398
QueryNameProcedure -> 0x852be528
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\XxX\AppData\Local\Temp\XVY95CC.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\seufxm]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1017075052-1213670596-3501502907-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:ad,f3,36,c0,2b,1c,ef,4c,7f,32,db,35,dd,99,4e,19,34,b3,94,bb,71,
5b,48,06,0c,fe,6f,ba,76,af,b9,f8,93,01,3e,1c,a8,fc,ab,c3,dc,ea,bb,f4,d7,13,\
"rkeysecu"=hex:44,c8,b9,9f,32,57,3b,cb,d1,4b,2e,c3,b7,6d,88,b1

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5508)
c:\windows\system32\BattleP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\slmdmsr.exe
c:\windows\system32\conhost.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-06-12 14:48:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-12 11:48
ComboFix2.txt 2010-05-31 14:50

Pre-Run: 104,063,139,840 bytes free
Post-Run: 103,647,490,048 bytes free

- - End Of File - - D0064E312F51C797511BE9366AC67577


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 12 June 2010 - 07:25 AM

No luck there...
Please let me know if you have your Windows 7 DVD at hand.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 12 June 2010 - 07:29 AM

I do, however does this mean that whatever I'm infected with is impossible to remove?

And I'm afraid that when i format and reinstall the OS, some file on my 1.3 TB disks will infect me again!

Any tips?

Finally, I'm extremely grateful for all the help you've provided, and continue to provide.



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 12 June 2010 - 08:19 AM

No worries, it doesn't mean its impossible to remove smile.gif

It only means we need to do it manually.

The simplest thing to try is a startup repair (this should automatically replace the infected file). If that doesn't work, we need to do it manually using the command prompt in the recovery environment.

Please follow the steps here to do a startup repair.
Note - this guide contains also other steps, just use the steps to get at the Recovery Environment options and choose "Startup Repair".

When done, please see if Firefox is still redirecting you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 15 June 2010 - 05:51 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 June 2010 - 11:16 AM

Hey there, and really sorry for the late reply.

But i've been having a problem and I'm not sure if its related to the malware at hand. I've looked everywhere for a fix but I can't seem to find one.

As per your request, I got my windows 7 DVD (Copied to a bootable USB, DVD is with a friend), and all goes well up to the point where windows is loading files, when it finishes loading files, I'll get the windows starting screen with the flashing logo, then I'm redirected to the installation screen, although its a completely blank screen. I can see the mouse and move it, but that's pretty much it. I've waited around 1 hour to no luck, the screen remains blank.

I'm not sure thats a problem with my usb, because I've used this very same USB and managed to successfully install windows both on this machine and others.

Any idea how we could solve this? or if there's an alternate way to activate start-up repair?



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 15 June 2010 - 01:15 PM

Hi, please try this.
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  • Click Start > Run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.
A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Hassan H

Hassan H
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 15 June 2010 - 02:25 PM

Done,

Here's the log =)




22:19:34:012 6288 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
22:19:34:012 6288 ================================================================================
22:19:34:012 6288 SystemInfo:

22:19:34:012 6288 OS Version: 6.1.7600 ServicePack: 0.0
22:19:34:012 6288 Product type: Workstation
22:19:34:012 6288 ComputerName: HASSANPC
22:19:34:014 6288 UserName: XxX
22:19:34:014 6288 Windows directory: C:\Windows
22:19:34:014 6288 Processor architecture: Intel x86
22:19:34:014 6288 Number of processors: 2
22:19:34:015 6288 Page size: 0x1000
22:19:34:017 6288 Boot type: Normal boot
22:19:34:017 6288 ================================================================================
22:19:38:716 6288 Initialize success
22:19:38:717 6288
22:19:38:717 6288 Scanning Services ...
22:19:39:424 6288 Raw services enum returned 432 services
22:19:39:439 6288 Suspicious serv seufxm (h: 0, b: 1)
22:19:39:439 6288
22:19:39:440 6288 Hidden service detected!
22:19:39:440 6288 Service name: seufxm
22:19:39:441 6288 Image path:
22:19:39:441 6288 Type "delete" (without quotes) to delete it: 22:20:01:682 6288
22:20:01:682 6288 By user detect seufxm
22:20:01:683 6288 RegNode HKLM\SYSTEM\ControlSet001\services\seufxm infected by TDSS rootkit ... 22:20:01:683 6288 will be deleted on reboot
22:20:01:729 6288 RegNode HKLM\SYSTEM\ControlSet002\services\seufxm infected by TDSS rootkit ... 22:20:01:729 6288 will be deleted on reboot
22:20:01:762 6288 File C:\Windows\system32\drivers\seufxm.sys infected by TDSS rootkit ... 22:20:01:763 6288 will be deleted on reboot
22:20:01:764 6288
22:20:01:764 6288 Scanning Drivers ...
22:20:03:496 6288 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
22:20:03:524 6288 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
22:20:03:545 6288 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
22:20:03:578 6288 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
22:20:03:606 6288 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\Windows\system32\drivers\aswFsBlk.sys
22:20:03:629 6288 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
22:20:03:643 6288 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
22:20:03:658 6288 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
22:20:03:678 6288 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
22:20:03:694 6288 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
22:20:03:703 6288 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
22:20:03:732 6288 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\Windows\system32\DRIVERS\atksgt.sys
22:20:03:756 6288 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
22:20:03:773 6288 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
22:20:03:787 6288 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
22:20:03:869 6288 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
22:20:03:884 6288 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
22:20:03:908 6288 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
22:20:03:938 6288 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
22:20:03:952 6288 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
22:20:03:973 6288 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
22:20:04:001 6288 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
22:20:04:028 6288 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
22:20:04:045 6288 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
22:20:04:064 6288 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
22:20:04:091 6288 DXGKrnl (39806cfeddcc55e686a49bccd2972f23) C:\Windows\System32\drivers\dxgkrnl.sys
22:20:04:125 6288 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
22:20:04:150 6288 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
22:20:04:167 6288 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
22:20:04:186 6288 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
22:20:04:200 6288 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
22:20:04:210 6288 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
22:20:04:227 6288 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
22:20:04:240 6288 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
22:20:04:258 6288 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
22:20:04:279 6288 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys
22:20:04:304 6288 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
22:20:04:340 6288 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
22:20:04:369 6288 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:20:04:392 6288 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
22:20:04:409 6288 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
22:20:04:423 6288 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
22:20:04:434 6288 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
22:20:04:455 6288 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
22:20:04:478 6288 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
22:20:04:506 6288 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
22:20:04:530 6288 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
22:20:04:544 6288 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
22:20:04:563 6288 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
22:20:04:644 6288 IntcAzAudAddService (a9d92a2d9f583892c91202502d979be1) C:\Windows\system32\drivers\RTKVHDA.sys
22:20:04:707 6288 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
22:20:04:728 6288 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
22:20:04:743 6288 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:20:04:761 6288 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
22:20:04:779 6288 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
22:20:04:790 6288 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
22:20:04:800 6288 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
22:20:04:824 6288 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
22:20:04:852 6288 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
22:20:04:869 6288 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
22:20:04:905 6288 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
22:20:04:927 6288 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
22:20:04:948 6288 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
22:20:04:978 6288 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\Windows\system32\DRIVERS\lirsgt.sys
22:20:05:001 6288 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
22:20:05:016 6288 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
22:20:05:039 6288 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
22:20:05:068 6288 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
22:20:05:096 6288 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
22:20:05:111 6288 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
22:20:05:130 6288 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
22:20:05:153 6288 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
22:20:05:187 6288 mipsinf (6a94289ca78bcc44e8170b80cec9ab16) C:\Windows\system32\mipsinf.sys
22:20:05:237 6288 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
22:20:05:267 6288 MODEMCSA (25483f9d590d5f00bd951e1181453ec2) C:\Windows\system32\drivers\MODEMCSA.sys
22:20:05:287 6288 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
22:20:05:301 6288 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
22:20:05:319 6288 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
22:20:05:340 6288 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
22:20:05:360 6288 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
22:20:05:377 6288 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
22:20:05:402 6288 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
22:20:05:427 6288 mrxsmb (f4a054be78af7f410129c4b64b07dc9b) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:20:05:440 6288 mrxsmb10 (deffa295bd1895c6ed8e3078412ac60b) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:20:05:459 6288 mrxsmb20 (24d76abe5dcad22f19d105f76fdf0ce1) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:20:05:470 6288 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
22:20:05:488 6288 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
22:20:05:507 6288 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
22:20:05:530 6288 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
22:20:05:540 6288 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
22:20:05:557 6288 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
22:20:05:566 6288 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
22:20:05:576 6288 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
22:20:05:599 6288 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
22:20:05:622 6288 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
22:20:05:632 6288 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
22:20:05:642 6288 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
22:20:05:697 6288 Mtlmnt5 (8cc4ab0f1fdb5fc7f58779dab0b1d22e) C:\Windows\system32\DRIVERS\SLDRV\Mtlmnt5.sys
22:20:05:745 6288 Mtlstrm (195c5a0b44240dbb999f267ecfd3fab2) C:\Windows\system32\DRIVERS\SLDRV\Mtlstrm.sys
22:20:05:783 6288 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
22:20:05:825 6288 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
22:20:05:861 6288 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
22:20:05:890 6288 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
22:20:05:915 6288 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
22:20:05:938 6288 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
22:20:05:957 6288 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
22:20:05:972 6288 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
22:20:05:982 6288 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
22:20:06:005 6288 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
22:20:06:029 6288 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
22:20:06:046 6288 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
22:20:06:056 6288 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
22:20:06:131 6288 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
22:20:06:158 6288 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
22:20:06:392 6288 nvlddmkm (712d98d35e68d0006b121f4a3b8ee814) C:\Windows\system32\DRIVERS\nvlddmkm.sys
22:20:06:590 6288 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
22:20:06:610 6288 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
22:20:06:638 6288 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
22:20:06:661 6288 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
22:20:06:686 6288 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
22:20:06:701 6288 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
22:20:06:715 6288 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
22:20:06:729 6288 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
22:20:06:749 6288 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
22:20:06:774 6288 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
22:20:06:801 6288 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
22:20:06:818 6288 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
22:20:06:844 6288 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
22:20:06:863 6288 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
22:20:06:881 6288 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
22:20:06:892 6288 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
22:20:06:929 6288 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
22:20:06:958 6288 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
22:20:06:979 6288 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
22:20:06:993 6288 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
22:20:07:008 6288 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
22:20:07:030 6288 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:20:07:054 6288 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
22:20:07:073 6288 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
22:20:07:100 6288 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
22:20:07:115 6288 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
22:20:07:134 6288 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:20:07:169 6288 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
22:20:07:180 6288 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
22:20:07:191 6288 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
22:20:07:236 6288 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
22:20:07:261 6288 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
22:20:07:317 6288 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
22:20:07:335 6288 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
22:20:07:358 6288 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
22:20:07:374 6288 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
22:20:07:392 6288 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
22:20:07:421 6288 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
22:20:07:442 6288 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
22:20:07:466 6288 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
22:20:07:476 6288 !dthrs6
22:20:07:497 6288 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
22:20:07:507 6288 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
22:20:07:530 6288 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
22:20:07:555 6288 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
22:20:07:573 6288 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
22:20:07:590 6288 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
22:20:07:606 6288 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
22:20:07:644 6288 Slntamr (e61f4a8551ed6d42245ec5c4a29c120b) C:\Windows\system32\DRIVERS\SLDRV\slntamr.sys
22:20:07:677 6288 SlNtHal (7f5f9b53bea4238aa18ba05382ec7629) C:\Windows\system32\DRIVERS\SLDRV\Slnthal.sys
22:20:07:702 6288 SlWdmSup (58f389daea07a855f7f38dd0d66e20c2) C:\Windows\system32\DRIVERS\SLDRV\SlWdmSup.sys
22:20:07:712 6288 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
22:20:07:733 6288 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
22:20:07:768 6288 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
22:20:07:768 6288 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
22:20:07:792 6288 srv (2ba4ebc7dfba845a1edbe1f75913be33) C:\Windows\system32\DRIVERS\srv.sys
22:20:07:814 6288 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
22:20:07:835 6288 srvnet (b5665baa2120b8a54e22e9cd07c05106) C:\Windows\system32\DRIVERS\srvnet.sys
22:20:07:859 6288 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
22:20:07:876 6288 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
22:20:07:886 6288 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
22:20:07:907 6288 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
22:20:07:938 6288 tap0901 (2e644070f2240cca9775a6b79cae62cd) C:\Windows\system32\DRIVERS\tap0901.sys
22:20:07:978 6288 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
22:20:08:024 6288 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
22:20:08:044 6288 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
22:20:08:062 6288 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
22:20:08:072 6288 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
22:20:08:082 6288 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
22:20:08:101 6288 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
22:20:08:128 6288 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:20:08:142 6288 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
22:20:08:153 6288 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
22:20:08:174 6288 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
22:20:08:193 6288 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
22:20:08:219 6288 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
22:20:08:230 6288 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
22:20:08:250 6288 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
22:20:08:274 6288 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
22:20:08:297 6288 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
22:20:08:326 6288 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
22:20:08:342 6288 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
22:20:08:352 6288 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
22:20:08:384 6288 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
22:20:08:400 6288 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:20:08:419 6288 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
22:20:08:432 6288 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
22:20:08:451 6288 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
22:20:08:473 6288 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
22:20:08:497 6288 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
22:20:08:523 6288 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
22:20:08:541 6288 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
22:20:08:551 6288 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
22:20:08:567 6288 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
22:20:08:586 6288 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
22:20:08:609 6288 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
22:20:08:631 6288 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
22:20:08:651 6288 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
22:20:08:674 6288 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
22:20:08:691 6288 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
22:20:08:714 6288 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
22:20:08:750 6288 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:20:08:755 6288 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:20:08:773 6288 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
22:20:08:795 6288 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
22:20:08:815 6288 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
22:20:08:829 6288 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
22:20:08:841 6288 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:20:08:860 6288 ws2ifsl (b309cc1813ce71133486f13a07746b7d) C:\Windows\system32\drivers\ws2ifsl.sys
22:20:08:861 6288 Suspicious file (Forged): C:\Windows\system32\drivers\ws2ifsl.sys. Real md5: b309cc1813ce71133486f13a07746b7d, Fake md5: 6db3276587b853bf886b69528fdb048c
22:20:08:862 6288 File "C:\Windows\system32\drivers\ws2ifsl.sys" infected by TDSS rootkit ... 22:20:09:412 6288 Backup copy found, using it..
22:20:09:420 6288 will be cured on next reboot
22:20:09:471 6288 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
22:20:09:483 6288 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:20:09:518 6288 yukonw7 (b07c5b7efdf936ff93d4f540938725be) C:\Windows\system32\DRIVERS\yk62x86.sys
22:20:09:523 6288 Reboot required for cure complete..
22:20:09:909 6288 Cure on reboot scheduled successfully
22:20:09:909 6288
22:20:09:910 6288 Completed
22:20:09:910 6288
22:20:09:911 6288 Results:
22:20:09:911 6288 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
22:20:09:912 6288 File objects infected / cured / cured on reboot: 2 / 0 / 2
22:20:09:913 6288
22:20:09:918 6288 KLMD(ARK) unloaded successfully


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:05 AM

Posted 15 June 2010 - 02:49 PM

Hello again,
That seemed succesful. Please let me know how things are running now.

Edited by elise025, 15 June 2010 - 02:50 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users