Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ggb6w.exe trying to access physical memory -trojan?


  • This topic is locked This topic is locked
14 replies to this topic

#1 pcgi

pcgi

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 13 July 2010 - 11:46 AM

Hi everybody!
If someone have expertise and free time, please help my bleeping pc
I've installed Pc tools 'Firewall Plus' and it gives me this when I try to open hard disk through 'My Computer':
ggb6w.exe trying to access physical memory
If I block it it doesn't open a window with this hard drive with files on it. If I unblock ggb6w.exe, then respectively I can access this hard drive
I searched in the internets and found a THAI programmer solution to this with today's fresh update (New update !!! 13/07/2010). The solution does many things on your pc - kills processes, cleaning some files, modifying registry keys...scary! I really afraid to download it, not talking about starting it laugh.gif

It is called PeeTechFix-win32.PSW.OnlineGames 2.0.7_AVDB-108 & Fix Pacex.Gen
hxxp://hotzone-it.blogspot.com/2010/07/how-to-remove-ggb6wexe.html

hxxp://hotzone-it.blogspot.com/2009/08/peetechfixwin32pswonlinegame.html

Please guys look into my logs maybe there's some other ways to clean the nasty thing, apart from allowing thai hackers to enter my computer

Deactivated link. ~ OB

Attached Files

  • Attached File  DDS.txt   14.81KB   9 downloads

Edited by Orange Blossom, 13 July 2010 - 09:16 PM.
Moved from XP to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 18 July 2010 - 08:54 AM

Hello pcgi, My names Syler and I will be helping you to solve your malware issues.

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Please follow these instructions to disable any CD Emulation programs using DeFogger.
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
  • Gmer log

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 23 July 2010 - 06:26 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 23 July 2010 - 04:53 PM

Thread reopened at OP request.

unite.jpg


#5 pcgi

pcgi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 26 July 2010 - 05:56 PM

So I scanned with OTL few days ago, when Syler added response, and OTL gave me 2 files: OTL.txt and Extras.Txt. I wanted to scan today to get fresh results, but after scan is completeit doesen't give out extras.txt!
So here's my new and fresh OTL.txt and 3 days old Extras.txt:

OTL.txt

OTL logfile created on: 27.07.2010 0:05:11 - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 69,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 220,70 Gb Free Space | 74,04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111,79 Gb Total Space | 86,12 Gb Free Space | 77,04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MP2010-7D10447F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.07.27 00:04:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010.07.26 03:21:42 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010.07.06 20:21:07 | 000,512,070 | ---- | M] () -- C:\Program Files\Soft4Ever\looknstop\looknstop.exe
PRC - [2010.06.23 19:36:48 | 004,090,976 | ---- | M] (Astonsoft Ltd) -- C:\Program Files\EssentialPIM_Pro_Portable_3\EssentialPIM Pro Portable 3.54\EssentialPIM.exe
PRC - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2009.09.25 11:04:24 | 005,586,664 | ---- | M] () -- C:\WINDOWS\system32\WTMKM.exe
PRC - [2008.04.14 15:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.07.27 00:04:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008.04.14 15:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010.05.02 23:38:33 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\atwtusb.exe -- (WTService)
SRV - [2008.08.15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007.07.24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)


========== Driver Services (SafeList) ==========

DRV - [2010.07.06 20:14:26 | 000,077,184 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\lnsfw1.sys -- (lnsfw1)
DRV - [2010.07.06 20:14:26 | 000,045,824 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lnsfw.sys -- (SFilter)
DRV - [2010.01.20 16:53:06 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010.01.20 16:53:04 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009.08.20 18:38:24 | 000,006,144 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\walvhid.sys -- (vhidmini)
DRV - [2009.03.08 19:15:14 | 000,006,144 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2008.08.14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs)
DRV - [2008.04.14 01:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007.05.23 04:21:12 | 000,016,272 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007.05.23 04:20:58 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007.05.11 03:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2007.03.05 06:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007.03.05 05:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007.03.05 05:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007.03.05 05:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007.03.05 05:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2005.10.26 15:14:34 | 000,006,927 | R--- | M] (Conexant Systems, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UIUSYS.SYS -- (UIUSys)
DRV - [2005.03.04 11:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004.08.22 16:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004.08.22 16:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 95.169.190.2:80

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.lv/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.7
FF - prefs.js..extensions.enabledItems: elemhidehelper@adblockplus.org:1.0.6
FF - prefs.js..extensions.enabledItems: lv-LV@dictionaries.addons.mozilla.org:0.8.2
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.8
FF - prefs.js..extensions.enabledItems: ru@dictionaries.addons.mozilla.org:0.4.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.lv/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.07.23 21:07:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.07.20 15:10:21 | 000,000,000 | ---D | M]

[2010.06.01 17:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010.06.01 17:16:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.07.25 21:09:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions
[2010.07.06 20:31:09 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2010.07.22 20:52:57 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2010.07.15 00:46:23 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010.07.15 00:46:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010.06.29 08:34:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010.04.30 17:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\elemhidehelper@adblockplus.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\lv-LV@dictionaries.addons.mozilla.org
[2010.06.29 00:18:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\ru@dictionaries.addons.mozilla.org
[2010.07.19 20:20:29 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\icqplugin.xml
[2010.04.30 18:36:12 | 000,001,090 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\u5mikslv.xml
[2010.07.25 21:09:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.07.14 19:23:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.14 19:23:32 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.07.20 16:21:09 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010.05.02 23:33:07 | 000,000,764 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Look 'n' Stop] C:\Program Files\Soft4Ever\looknstop\looknstop.exe ()
O4 - HKLM..\Run: [MacrokeyManager] C:\WINDOWS\System32\WTMKM.exe ()
O4 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003..\Run: [EssentialPIM Pro Portable] C:\Program Files\EssentialPIM_Pro_Portable_3\EssentialPIM Pro Portable 3.54\EssentialPIM.exe (Astonsoft Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Добавить к существующему PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Добавить содержимое по ссылке в существующий файл PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать в Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать содержимое по ссылке в PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1160486331281 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007.08.01 14:26:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010.07.16 20:35:32 | 000,000,061 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010.07.16 20:35:32 | 000,000,061 | RHS- | M] () - E:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010.07.27 00:04:57 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.26 17:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\BLEEP
[2010.07.20 16:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit Software
[2010.07.20 16:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Foxit Software
[2010.07.20 15:10:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit
[2010.07.20 15:09:52 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010.07.18 11:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\luksofor
[2010.07.17 16:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010.07.17 16:25:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.07.17 16:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.07.17 16:25:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.07.17 16:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.07.16 00:55:14 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.07.15 20:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SCAN
[2010.07.15 20:39:20 | 000,608,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMCTL32.OCX
[2010.07.15 00:28:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010.07.14 19:25:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010.07.14 19:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010.07.14 19:23:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:42 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.14 19:23:28 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010.07.14 19:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Sun
[2010.07.13 11:42:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010.07.13 11:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010.07.08 15:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\EssentialPIM_Pro_Portable_3
[2010.07.08 14:10:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\EssentialPIM Pro
[2010.07.07 16:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\STAVEJAM NEPAREIZI
[2010.07.06 20:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\looknstop
[2010.07.06 20:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Soft4Ever
[2010.07.05 21:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\vsjakoe
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Bluetooth
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2010.07.05 10:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SHABLON_VIBIRAJ
[2010.06.30 18:22:20 | 000,006,144 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\moufiltr.sys
[2010.06.30 18:22:15 | 000,134,888 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\WINTAB32.DLL
[2010.06.30 18:22:15 | 000,126,696 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\Tblfunc.dll
[2010.06.30 18:22:15 | 000,049,152 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\ATWinLog.dll
[2010.06.30 18:22:15 | 000,036,864 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\UTBLFILT.DLL
[2010.06.30 18:22:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\udtablet
[2010.06.30 18:22:14 | 001,753,088 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TblRes.dll
[2010.06.30 18:22:14 | 001,515,240 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TABLET.CPL
[2010.06.30 18:22:14 | 000,069,632 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\Funckey.dll
[2010.05.02 22:22:11 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2010.05.02 22:22:11 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.07.27 00:04:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.26 23:24:14 | 000,343,552 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 22:14:37 | 000,000,591 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.07.26 22:14:15 | 002,367,488 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.26 22:14:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.07.26 22:14:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.07.26 22:13:10 | 007,864,320 | ---- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010.07.26 22:13:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010.07.26 22:13:03 | 004,312,982 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010.07.26 17:39:25 | 000,002,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010.07.26 17:28:05 | 000,000,052 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.26 17:04:43 | 000,000,097 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SS.LV Компьютеры, оргтехника, Принтеры Лазерные принтеры, Фото. Цена 30 Ls. Pārdod mazlietotu HP LaserJet printeri. Pārdod a.URL
[2010.07.26 11:28:20 | 000,000,470 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Irish.lnk
[2010.07.25 23:16:26 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100725_2316.epim
[2010.07.25 01:12:02 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.24 23:16:57 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100724_2316.epim
[2010.07.24 02:40:46 | 000,036,696 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010.07.23 18:33:10 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.07.22 01:42:41 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Application Data\winscp.rnd
[2010.07.20 16:03:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.20 14:40:29 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\User\My Documents\INBOX.doc
[2010.07.17 16:47:04 | 001,347,966 | ---- | M] () -- C:\Documents and Settings\User\Desktop\spyware_online games.bmp
[2010.07.17 16:31:53 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.07.17 13:03:35 | 000,061,945 | ---- | M] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.16 20:35:32 | 000,000,061 | RHS- | M] () -- C:\autorun.inf
[2010.07.16 00:55:14 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.07.15 18:59:13 | 000,000,071 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Spoguļi SIA Todanoli - stiklu un spoguļu tirdzniecība un izgatavošana uz pasūtijumu.URL
[2010.07.15 16:24:29 | 000,036,992 | ---- | M] () -- C:\Documents and Settings\User\Desktop\sakura-posit.jpg
[2010.07.14 19:23:31 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:31 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:31 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.13 21:08:41 | 000,117,248 | RHS- | M] () -- C:\i8gcgmg.exe
[2010.07.13 11:36:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.07.08 15:02:50 | 000,001,118 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 02:50:13 | 000,060,928 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SHILL offshore.doc
[2010.07.07 16:46:30 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\User\Desktop\327.ceļa zīmes meža prospekts - Поиск в Google.URL
[2010.07.07 16:46:04 | 000,000,153 | ---- | M] () -- C:\Documents and Settings\User\Desktop\149.10 rīgas domes 305 - Поиск в Google.URL
[2010.07.06 20:20:52 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:26 | 000,077,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:26 | 000,045,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | M] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 21:18:36 | 000,000,121 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ceļu satiksmes likuma 43.2 - Поиск в Google.URL
[2010.07.05 21:18:28 | 000,000,090 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tiesas.lv - E-Pakalpojumi.URL
[2010.07.05 15:01:40 | 000,068,497 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.02 08:25:21 | 000,028,024 | ---- | M] () -- C:\WINDOWS\FontData.fdb
[2010.06.30 18:18:07 | 002,036,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.07.26 23:24:14 | 000,343,552 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 17:27:58 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.26 17:04:43 | 000,000,097 | ---- | C] () -- C:\Documents and Settings\User\Desktop\SS.LV Компьютеры, оргтехника, Принтеры Лазерные принтеры, Фото. Цена 30 Ls. Pārdod mazlietotu HP LaserJet printeri. Pārdod a.URL
[2010.07.26 11:28:55 | 000,061,945 | ---- | C] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.25 23:16:26 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100725_2316.epim
[2010.07.25 01:12:00 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.24 23:16:57 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100724_2316.epim
[2010.07.20 16:03:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.17 16:47:03 | 001,347,966 | ---- | C] () -- C:\Documents and Settings\User\Desktop\spyware_online games.bmp
[2010.07.16 01:06:11 | 000,000,061 | RHS- | C] () -- C:\autorun.inf
[2010.07.15 18:59:13 | 000,000,071 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Spoguļi SIA Todanoli - stiklu un spoguļu tirdzniecība un izgatavošana uz pasūtijumu.URL
[2010.07.15 16:24:22 | 000,036,992 | ---- | C] () -- C:\Documents and Settings\User\Desktop\sakura-posit.jpg
[2010.07.14 07:52:34 | 000,117,248 | RHS- | C] () -- C:\i8gcgmg.exe
[2010.07.08 15:02:50 | 000,001,118 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 15:00:16 | 002,367,488 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.07 16:46:30 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\User\Desktop\327.ceļa zīmes meža prospekts - Поиск в Google.URL
[2010.07.07 16:46:04 | 000,000,153 | ---- | C] () -- C:\Documents and Settings\User\Desktop\149.10 rīgas domes 305 - Поиск в Google.URL
[2010.07.06 20:20:52 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:25 | 000,077,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:25 | 000,045,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | C] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 21:18:36 | 000,000,121 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ceļu satiksmes likuma 43.2 - Поиск в Google.URL
[2010.07.05 21:18:28 | 000,000,090 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tiesas.lv - E-Pakalpojumi.URL
[2010.07.05 15:01:40 | 000,068,497 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.01 10:48:45 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\User\Desktop\WebMoney Cards.URL
[2010.06.30 18:22:15 | 000,515,816 | ---- | C] () -- C:\WINDOWS\System32\atwtusb.exe
[2010.06.30 18:22:14 | 000,118,504 | ---- | C] () -- C:\WINDOWS\System32\Calibration.exe
[2010.06.30 18:22:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\InstallService.exe
[2010.06.30 18:22:13 | 005,586,664 | ---- | C] () -- C:\WINDOWS\System32\WTMKM.exe
[2010.06.30 18:22:13 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\ATWTINK.DLL
[2010.06.30 18:22:13 | 000,126,696 | ---- | C] () -- C:\WINDOWS\RmTablet.exe
[2010.06.30 18:22:13 | 000,013,254 | ---- | C] () -- C:\WINDOWS\System32\Vista.ini
[2010.06.30 18:22:13 | 000,012,948 | ---- | C] () -- C:\WINDOWS\System32\XP_2000.ini
[2010.06.30 18:22:13 | 000,008,229 | ---- | C] () -- C:\WINDOWS\aiptbl.ini
[2010.06.30 18:22:13 | 000,001,192 | ---- | C] () -- C:\WINDOWS\System32\Hit.WAV
[2010.06.30 18:22:13 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\MKProfile.ini
[2010.06.22 10:03:04 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010.05.06 13:29:17 | 000,000,382 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010.04.29 15:24:33 | 000,014,545 | R--- | C] () -- C:\WINDOWS\System32\Photoshop Elements.ini
[2010.04.29 15:24:33 | 000,010,361 | R--- | C] () -- C:\WINDOWS\System32\PhotoImpact XL SE.ini
[2006.09.08 16:06:25 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006.09.08 16:06:24 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2006.09.08 16:06:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2006.09.08 03:01:14 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2006.09.08 03:01:14 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2006.09.08 03:01:14 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2004.08.22 17:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007.08.01 17:07:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007.08.01 17:07:22 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007.08.01 17:07:22 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
[2010.07.13 21:08:41 | 000,117,248 | RHS- | M] () -- C:\i8gcgmg.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E965A533
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41ADDB8A
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A064CECC
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
< End of report >

Extras.txt

OTL Extras logfile created on: 23.07.2010 21:34:21 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 60,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 220,90 Gb Free Space | 74,11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111,79 Gb Total Space | 86,07 Gb Free Space | 76,99% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MP2010-7D10447F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS4 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51000:TCP" = 51000:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51001:TCP" = 51001:TCP:*:Enabled:Adobe Version Cue CS4 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\ICQ7.1\ICQ.exe" = C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1 -- (ICQ, LLC.)
"C:\Program Files\ICQ7.1\aolload.exe" = C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe -- (AOL LLC)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ICQ7.1\ICQ.exe" = C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1 -- (ICQ, LLC.)
"C:\Program Files\ICQ7.1\aolload.exe" = C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe -- (AOL LLC)
"C:\Program Files\WebMoney\WebMoney.exe" = C:\Program Files\WebMoney\WebMoney.exe:*:Enabled:WebMoney Keeper Classic Runner Module -- (CJSC "Computing Forces")
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:*:Enabled:Adobe Version Cue CS4 Server -- (Adobe Systems Incorporated)
"C:\Program Files\WinSCP\WinSCP.exe" = C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:WinSCP: SFTP, FTP and SCP client -- (Martin Prikryl)
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{11FC22F2-F582-40ED-B787-2C1FDC04CB3B}" = CorelDRAW Graphics Suite X4 - IPM
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{425AD62D-5B16-494C-8AAB-6B3D0CF2527A}" = Adobe Setup
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4AAC95F4-A30E-4EE5-A086-6F79581D0D70}" = ACDSee Pro 2
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D9A7CEE-054A-437D-99EF-DD7C77E001FD}" = WebMoney Keeper Classic 3.9.1.0
"{71BFC818-0CED-42D6-9C87-5142918957EE}" = ICQ7.1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74E78471-E122-4101-8744-CEB6C5C027A0}" = Foxit PDF IFilter
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83744391-B5A4-40E3-8A7D-E8BF39CB00ED}" = Adobe Creative Suite 4 Design Premium
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{846AC73B-9394-48B9-B941-8F7F472F0047}" = Bluesoleil2.6.0.9 Release 070606
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110419-6000-11D3-8CFE-0150048383C9}" = Microsoft Office - профессиональный выпуск версии 2003
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{AC76BA86-1048-8780-7760-000000000004}" = Adobe Acrobat 9 Pro - Romanian, Ukrainian, Russian, Turkish
"{AC76BA86-1048-8780-7760-000000000004}{AC76BA86-1048-8780-7760-000000000004}" = Adobe Acrobat 9 Pro - Romanian, Ukrainian, Russian, Turkish
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications ® Core - English
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B9F4561A-924D-4510-A85A-BB0960C338CB}" = Adobe Asset Services CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C6853444-2B6F-4078-9866-7FC92D5FD5C0}_is1" = DepositFiles Uploader 1.3.15.302
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications ® Core
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Ace Utilities_is1" = Ace Utilities
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_61891f6653695c87d1383e330e647bc" = Adobe Creative Suite 4 Design Premium
"AFPL Ghostscript 8.00" = AFPL Ghostscript 8.00
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"C-Media Audio" = C-Media 3D Audio
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 5.0.1 Home Edition
"Foxit Creator" = Foxit Creator
"Foxit PDF Editor" = Foxit PDF Editor
"Foxit Reader" = Foxit Reader
"Hard Disk Sentinel_is1" = Hard Disk Sentinel
"HijackThis" = HijackThis 2.0.2
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.0.0 (Standard)
"Look 'n' Stop 2.06" = Look 'n' Stop 2.06
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.7)" = Mozilla Firefox (3.6.7)
"Mozilla Thunderbird (3.0.6)" = Mozilla Thunderbird (3.0.6)
"ReDynaMix HDR (Adobe Photoshop Plug-in)_is1" = DCETools - ReDynaMix HDR
"Rmtablet" = Pen Pad Driver with Macro Key Manager
"Unlocker" = Unlocker 1.8.9
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.7
"ZET 8 Lite 1.62" = ZET 8 Lite 1.62
"Древо Жизни" = Древо Жизни

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FileZilla Client" = FileZilla Client 3.3.3

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 20.07.2010 7:58:27 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7034
Description = The FLEXnet Licensing Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 20.07.2010 12:44:26 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10022

Error - 20.07.2010 14:10:59 | Computer Name = MP2010-7D10447F | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{F4BD9208-EE57-4491-9529-399EF7FFB05B}. The
backup browser is stopping.

Error - 21.07.2010 9:17:24 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10022

Error - 21.07.2010 13:19:58 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10022

Error - 21.07.2010 15:34:30 | Computer Name = MP2010-7D10447F | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{F4BD9208-EE57-4491-9529-399EF7FFB05B}. The
backup browser is stopping.

Error - 22.07.2010 11:21:54 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10022

Error - 22.07.2010 12:36:20 | Computer Name = MP2010-7D10447F | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{F4BD9208-EE57-4491-9529-399EF7FFB05B}. The
backup browser is stopping.

Error - 23.07.2010 11:33:24 | Computer Name = MP2010-7D10447F | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10022

Error - 23.07.2010 12:47:36 | Computer Name = MP2010-7D10447F | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{F4BD9208-EE57-4491-9529-399EF7FFB05B}. The
backup browser is stopping.


< End of report >


Gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-26 19:17:01
Windows 5.1.2600 Service Pack 3
Running: r6tfcvs5.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pwkyqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip lnsfw1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp lnsfw1.sys
AttachedDevice \Driver\Tcpip \Device\Udp lnsfw1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp lnsfw1.sys

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\User\Local Settings\Temp\~VMF8.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMF9.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFA.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFB.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFC.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFD.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFE.tmp 0 bytes
File C:\Documents and Settings\User\Local Settings\Temp\~VMFF.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by pcgi, 26 July 2010 - 05:58 PM.


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 27 July 2010 - 07:01 AM

Hi pcgi,

OTL only produces Extra.txt the first time it is run, so that's why you couldn't get another and that log is fine, thanks.


I don't see anything wrong in your logs, can you tell me if you are still having any problems?

Install an AntiVirus
I don't see an updated Anti Virus Program running on your machine, It is essential that you have
an Anti Virus installed and keep it updated. Without an updated Anti Virus running you are leaving
yourself wide open to infection every time you go on the internet.

These are some suggestion for a good free (non-commercial home use) Anti Virus:

Avast!
Antivir
AVG

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following files one by one and click Submit.

C:\WINDOWS\System32\EuEpmGdi.dll
C:\WINDOWS\System32\epmntdrv.sys
C:\WINDOWS\System32\EuGdiDrv.sys

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


Once you have done that please run OTL again and post the new log, along with the Virustotal results.

unite.jpg


#7 pcgi

pcgi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 27 July 2010 - 08:29 PM

Hello syler and big Thanks for your help!

Soory Syler, but yesterday I couldn't wait and did some scans: Housecall by trend micro (cool thing), and malwarebytes.Maybe that's why logs showed nothing.
House call found this:
1) i8gcgmg.exe TROJ_GAMETHI.FOT (Trojan) location C:\i8gcgmg.exe
2) the same trojan on E:\ (I have 2 disk drives)
3) autorun.inf Mal_Otorun2 (Virus) location C:\autorun.inf
4) 1j038ki.exe TROJ_GAMETHI.GRC (Trojan) location E:\1j038ki.exe
5) autorun.inf Mal_Otorun2 (Virus) location E:\autorun.inf
6) g6jk.exe WORM_TATERF.BN (Trojan) location E:\g6jk.exe
7) mk28sp.exe TROJ_GEN.R47E1G4 (Geneic) location E:\mk28sp.exe
8) rxf.exe TROJ_GAMETHI.FNM (Trojan) location E:\rxf.exe

Malwarebytes:
Files Infected:
C:\Documents and Settings\User\My Documents\Root\RECYCLER\S-1-5-21-1343024091-1957994488-1202660629-1003\Dc90\Manual\1_64.gif (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP106\A0025598.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP77\A0023671.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP77\A0023704.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP78\A0023730.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP78\A0023738.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP78\A0023752.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP79\A0023787.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP79\A0023803.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP80\A0023805.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP80\A0023886.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP80\A0023903.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP81\A0023908.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP81\A0023951.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0023953.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0023980.exe (Worm.Magania) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0023999.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0024010.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0024055.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP82\A0024086.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP83\A0024106.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP83\A0024125.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP83\A0024160.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP84\A0024167.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP84\A0024210.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP89\A0024651.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP90\A0024655.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP90\A0024764.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP91\A0024785.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{685A8FB7-0296-41EC-9E5F-044D3C97D027}\RP91\A0024819.exe (Worm.Magania) -> Quarantined and deleted successfully.
E:\x3xh.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

And also used NOOB.KILLER.leerz.exe - it found many autorun.inf files and MarcMaynard.exe trojan.


But after all, PC is sluggish and explorer.exe goes up to 99% and I can't do nothing. Only when I restart explorer.exe. But when I did flash desinfector thing, it got back to normal.
But interesting, on my flash drive, I couldn't make autorun.inf folder with Flash_Disinfector.exe, because there was already autorun.inf file (it had command inside, something like "start=mk28sp.exe"), and also mk28sp.exe and 1j038ki.exe
Malwarebytes found only 1 file infected:
G:\mk28sp.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
But only after I removed autorun.inf, Flash_Disinfector.exe could make folder on flash drive. And explorer is back to normal again.
----------

Virustotal showed those 3 files are clean.


OTL log:

OTL logfile created on: 28.07.2010 4:11:24 - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 60,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 220,48 Gb Free Space | 73,97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111,79 Gb Total Space | 86,12 Gb Free Space | 77,04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 1,87 Gb Total Space | 1,87 Gb Free Space | 99,59% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MP2010-7D10447F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.07.28 04:11:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010.07.26 03:21:42 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010.07.06 20:21:07 | 000,512,070 | ---- | M] () -- C:\Program Files\Soft4Ever\looknstop\looknstop.exe
PRC - [2010.04.29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2009.11.02 13:23:56 | 002,457,600 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\User\Desktop\SCAN\RootkitBuster.exe
PRC - [2009.09.25 11:04:24 | 005,586,664 | ---- | M] () -- C:\WINDOWS\system32\WTMKM.exe
PRC - [2008.04.14 15:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.07.28 04:11:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008.04.14 15:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010.05.02 23:38:33 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\atwtusb.exe -- (WTService)
SRV - [2008.08.15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007.07.24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)


========== Driver Services (SafeList) ==========

DRV - [2010.07.28 03:54:56 | 000,161,296 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010.07.06 20:14:26 | 000,077,184 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\lnsfw1.sys -- (lnsfw1)
DRV - [2010.07.06 20:14:26 | 000,045,824 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lnsfw.sys -- (SFilter)
DRV - [2010.01.20 16:53:06 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010.01.20 16:53:04 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009.08.20 18:38:24 | 000,006,144 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\walvhid.sys -- (vhidmini)
DRV - [2009.03.08 19:15:14 | 000,006,144 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2008.08.14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs)
DRV - [2008.04.14 01:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007.05.23 04:21:12 | 000,016,272 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007.05.23 04:20:58 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007.05.11 03:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2007.03.05 06:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007.03.05 05:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007.03.05 05:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007.03.05 05:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007.03.05 05:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2005.10.26 15:14:34 | 000,006,927 | R--- | M] (Conexant Systems, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UIUSYS.SYS -- (UIUSys)
DRV - [2005.03.04 11:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004.08.22 16:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004.08.22 16:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 95.169.190.2:80

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.lv/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.7
FF - prefs.js..extensions.enabledItems: elemhidehelper@adblockplus.org:1.0.6
FF - prefs.js..extensions.enabledItems: lv-LV@dictionaries.addons.mozilla.org:0.8.2
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.8.3
FF - prefs.js..extensions.enabledItems: ru@dictionaries.addons.mozilla.org:0.4.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.lv/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.07.23 21:07:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.07.20 15:10:21 | 000,000,000 | ---D | M]

[2010.06.01 17:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010.06.01 17:16:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.07.28 01:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions
[2010.07.06 20:31:09 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2010.07.28 01:12:27 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2010.07.27 02:04:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010.07.15 00:46:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010.06.29 08:34:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010.04.30 17:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\elemhidehelper@adblockplus.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\lv-LV@dictionaries.addons.mozilla.org
[2010.06.29 00:18:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\ru@dictionaries.addons.mozilla.org
[2010.07.27 00:11:30 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\icqplugin.xml
[2010.04.30 18:36:12 | 000,001,090 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\u5mikslv.xml
[2010.07.28 01:13:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.07.14 19:23:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.14 19:23:32 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.07.20 16:21:09 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010.05.02 23:33:07 | 000,000,764 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Look 'n' Stop] C:\Program Files\Soft4Ever\looknstop\looknstop.exe ()
O4 - HKLM..\Run: [MacrokeyManager] C:\WINDOWS\System32\WTMKM.exe ()
O4 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003..\Run: [EssentialPIM Pro Portable] C:\Program Files\EssentialPIM_Pro_Portable_3\EssentialPIM Pro Portable 3.54\EssentialPIM.exe (Astonsoft Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Добавить к существующему PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Добавить содержимое по ссылке в существующий файл PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать в Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать содержимое по ссылке в PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1160486331281 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007.08.01 14:26:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010.07.28 03:15:42 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010.07.28 03:15:42 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010.07.28 03:22:12 | 000,000,000 | RHSD | M] - G:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010.07.28 04:11:11 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.28 03:54:57 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.07.28 03:49:30 | 005,936,464 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\User\Desktop\BGSetup_2.0.1072.exe
[2010.07.28 03:15:42 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010.07.26 17:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\BLEEP
[2010.07.20 16:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit Software
[2010.07.20 16:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Foxit Software
[2010.07.20 15:10:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit
[2010.07.20 15:09:52 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010.07.18 11:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\luksofor
[2010.07.17 16:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010.07.17 16:25:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.07.17 16:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.07.17 16:25:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.07.17 16:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.07.15 20:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SCAN
[2010.07.15 20:39:20 | 000,608,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMCTL32.OCX
[2010.07.15 00:28:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010.07.14 19:25:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010.07.14 19:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010.07.14 19:23:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:42 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.14 19:23:28 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010.07.14 19:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Sun
[2010.07.13 11:42:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010.07.13 11:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010.07.08 15:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\EssentialPIM_Pro_Portable_3
[2010.07.08 14:10:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\EssentialPIM Pro
[2010.07.07 16:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\STAVEJAM NEPAREIZI
[2010.07.06 20:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\looknstop
[2010.07.06 20:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Soft4Ever
[2010.07.05 21:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\vsjakoe
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Bluetooth
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2010.07.05 10:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SHABLON_VIBIRAJ
[2010.06.30 18:22:20 | 000,006,144 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\moufiltr.sys
[2010.06.30 18:22:15 | 000,134,888 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\WINTAB32.DLL
[2010.06.30 18:22:15 | 000,126,696 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\Tblfunc.dll
[2010.06.30 18:22:15 | 000,049,152 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\ATWinLog.dll
[2010.06.30 18:22:15 | 000,036,864 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\UTBLFILT.DLL
[2010.06.30 18:22:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\udtablet
[2010.06.30 18:22:14 | 001,753,088 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TblRes.dll
[2010.06.30 18:22:14 | 001,515,240 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TABLET.CPL
[2010.06.30 18:22:14 | 000,069,632 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\Funckey.dll
[2010.05.02 22:22:11 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2010.05.02 22:22:11 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.07.28 04:11:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.28 03:54:56 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.07.28 03:49:32 | 005,936,464 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\User\Desktop\BGSetup_2.0.1072.exe
[2010.07.28 03:48:25 | 002,367,488 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.28 03:18:53 | 000,000,591 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.07.28 03:18:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.07.28 03:18:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.07.28 03:17:14 | 007,864,320 | ---- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010.07.28 03:17:14 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010.07.28 03:17:09 | 004,316,588 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010.07.28 03:10:57 | 054,835,272 | ---- | M] () -- C:\Documents and Settings\User\Desktop\setup_av_free.exe
[2010.07.28 01:42:54 | 000,382,327 | ---- | M] () -- C:\Documents and Settings\User\Desktop\oldbaba.jpg
[2010.07.28 01:37:13 | 025,866,661 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Graphic12.rar
[2010.07.28 01:10:06 | 000,005,120 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.28 00:19:52 | 016,134,988 | ---- | M] () -- C:\Documents and Settings\User\Desktop\photo_VArkhipov_mirror.tif
[2010.07.27 23:34:38 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100727_2334.epim
[2010.07.27 14:44:36 | 000,000,090 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Про ходунки — ККМ Клуб.URL
[2010.07.27 11:36:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.07.27 02:22:03 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010.07.26 23:24:14 | 000,343,552 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 17:39:25 | 000,002,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010.07.26 17:28:05 | 000,000,052 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.26 11:28:20 | 000,000,470 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Irish.lnk
[2010.07.25 23:16:26 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100725_2316.epim
[2010.07.24 02:40:46 | 000,036,696 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010.07.23 18:33:10 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.07.22 01:42:41 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Application Data\winscp.rnd
[2010.07.20 16:03:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.20 14:40:29 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\User\My Documents\INBOX.doc
[2010.07.17 16:31:53 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.07.17 13:03:35 | 000,061,945 | ---- | M] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.15 18:59:13 | 000,000,071 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Spoguļi SIA Todanoli - stiklu un spoguļu tirdzniecība un izgatavošana uz pasūtijumu.URL
[2010.07.15 16:24:29 | 000,036,992 | ---- | M] () -- C:\Documents and Settings\User\Desktop\sakura-posit.jpg
[2010.07.14 19:23:31 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:31 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:31 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.08 15:02:50 | 000,001,118 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 02:50:13 | 000,060,928 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SHILL offshore.doc
[2010.07.07 16:46:30 | 000,000,144 | ---- | M] () -- C:\Documents and Settings\User\Desktop\327.ceļa zīmes meža prospekts - Поиск в Google.URL
[2010.07.07 16:46:04 | 000,000,153 | ---- | M] () -- C:\Documents and Settings\User\Desktop\149.10 rīgas domes 305 - Поиск в Google.URL
[2010.07.06 20:20:52 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:26 | 000,077,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:26 | 000,045,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | M] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 21:18:36 | 000,000,121 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ceļu satiksmes likuma 43.2 - Поиск в Google.URL
[2010.07.05 21:18:28 | 000,000,090 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tiesas.lv - E-Pakalpojumi.URL
[2010.07.05 15:01:40 | 000,068,497 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.02 08:25:21 | 000,028,024 | ---- | M] () -- C:\WINDOWS\FontData.fdb
[2010.06.30 18:18:07 | 002,036,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.07.28 03:10:22 | 054,835,272 | ---- | C] () -- C:\Documents and Settings\User\Desktop\setup_av_free.exe
[2010.07.28 01:42:16 | 000,382,327 | ---- | C] () -- C:\Documents and Settings\User\Desktop\oldbaba.jpg
[2010.07.28 01:36:25 | 025,866,661 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Graphic12.rar
[2010.07.28 00:19:37 | 016,134,988 | ---- | C] () -- C:\Documents and Settings\User\Desktop\photo_VArkhipov_mirror.tif
[2010.07.27 23:34:38 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100727_2334.epim
[2010.07.27 14:44:30 | 000,000,090 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Про ходунки — ККМ Клуб.URL
[2010.07.27 02:22:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010.07.26 23:24:14 | 000,343,552 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 17:27:58 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.26 17:04:43 | 000,000,097 | ---- | C] () -- C:\Documents and Settings\User\Desktop\SS.LV Компьютеры, оргтехника, Принтеры Лазерные принтеры, Фото. Цена 30 Ls. Pārdod mazlietotu HP LaserJet printeri. Pārdod a.URL
[2010.07.26 11:28:55 | 000,061,945 | ---- | C] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.25 23:16:26 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100725_2316.epim
[2010.07.25 01:12:00 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.20 16:03:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.15 18:59:13 | 000,000,071 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Spoguļi SIA Todanoli - stiklu un spoguļu tirdzniecība un izgatavošana uz pasūtijumu.URL
[2010.07.15 16:24:22 | 000,036,992 | ---- | C] () -- C:\Documents and Settings\User\Desktop\sakura-posit.jpg
[2010.07.08 15:02:50 | 000,001,118 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 15:00:16 | 002,367,488 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.07 16:46:30 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\User\Desktop\327.ceļa zīmes meža prospekts - Поиск в Google.URL
[2010.07.07 16:46:04 | 000,000,153 | ---- | C] () -- C:\Documents and Settings\User\Desktop\149.10 rīgas domes 305 - Поиск в Google.URL
[2010.07.06 20:20:52 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:25 | 000,077,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:25 | 000,045,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | C] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 21:18:36 | 000,000,121 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ceļu satiksmes likuma 43.2 - Поиск в Google.URL
[2010.07.05 21:18:28 | 000,000,090 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tiesas.lv - E-Pakalpojumi.URL
[2010.07.05 15:01:40 | 000,068,497 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.01 10:48:45 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\User\Desktop\WebMoney Cards.URL
[2010.06.30 18:22:15 | 000,515,816 | ---- | C] () -- C:\WINDOWS\System32\atwtusb.exe
[2010.06.30 18:22:14 | 000,118,504 | ---- | C] () -- C:\WINDOWS\System32\Calibration.exe
[2010.06.30 18:22:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\InstallService.exe
[2010.06.30 18:22:13 | 005,586,664 | ---- | C] () -- C:\WINDOWS\System32\WTMKM.exe
[2010.06.30 18:22:13 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\ATWTINK.DLL
[2010.06.30 18:22:13 | 000,126,696 | ---- | C] () -- C:\WINDOWS\RmTablet.exe
[2010.06.30 18:22:13 | 000,013,254 | ---- | C] () -- C:\WINDOWS\System32\Vista.ini
[2010.06.30 18:22:13 | 000,012,948 | ---- | C] () -- C:\WINDOWS\System32\XP_2000.ini
[2010.06.30 18:22:13 | 000,008,229 | ---- | C] () -- C:\WINDOWS\aiptbl.ini
[2010.06.30 18:22:13 | 000,001,192 | ---- | C] () -- C:\WINDOWS\System32\Hit.WAV
[2010.06.30 18:22:13 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\MKProfile.ini
[2010.06.22 10:03:04 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010.05.06 13:29:17 | 000,000,382 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010.04.29 15:24:33 | 000,014,545 | R--- | C] () -- C:\WINDOWS\System32\Photoshop Elements.ini
[2010.04.29 15:24:33 | 000,010,361 | R--- | C] () -- C:\WINDOWS\System32\PhotoImpact XL SE.ini
[2006.09.08 16:06:25 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006.09.08 16:06:24 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2006.09.08 16:06:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2006.09.08 03:01:14 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2006.09.08 03:01:14 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2006.09.08 03:01:14 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2004.08.22 17:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007.08.01 17:07:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007.08.01 17:07:22 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007.08.01 17:07:22 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E965A533
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41ADDB8A
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A064CECC
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
< End of report >






#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 28 July 2010 - 06:34 AM

QUOTE
Soory Syler, but yesterday I couldn't wait and did some scans: Housecall by trend micro (cool thing), and malwarebytes.Maybe that's why logs showed nothing.


Please be patient and do not do any other scan whilst I am helping you.

I still don't see an installed AV in your logs, please instal an AV then run a new OTL scan and post back with the log.

unite.jpg


#9 pcgi

pcgi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 29 July 2010 - 07:48 PM

QUOTE
Please be patient

Deal!

I have to say antivirus stopped this ggb6w.exe which is sitting in the root of each hard drive, but it did not deleted it. And also, I am unable to see hidden files and folders, this option doesn't work for me.
And explorer.exe goes up to 99% every 5 min and I can't do anything... Please help!

OTL log:


OTL logfile created on: 30.07.2010 3:25:34 - Run 6
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 42,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 91,00% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816E:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 220,47 Gb Free Space | 73,96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 111,79 Gb Total Space | 85,62 Gb Free Space | 76,59% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MP2010-7D10447F
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.07.30 03:25:08 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010.07.26 03:21:43 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010.07.26 03:21:42 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010.07.06 20:21:07 | 000,512,070 | ---- | M] () -- C:\Program Files\Soft4Ever\looknstop\looknstop.exe
PRC - [2010.06.28 23:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Avast5\AvastUI.exe
PRC - [2010.06.28 23:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Avast5\AvastSvc.exe
PRC - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () -- C:\WINDOWS\system32\atwtusb.exe
PRC - [2009.09.25 11:04:24 | 005,586,664 | ---- | M] () -- C:\WINDOWS\system32\WTMKM.exe
PRC - [2008.04.14 15:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.07.30 03:25:08 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008.04.14 15:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010.06.28 23:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010.06.28 23:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010.06.28 23:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010.05.02 23:38:33 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.11.26 14:48:10 | 000,515,816 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\atwtusb.exe -- (WTService)
SRV - [2008.08.15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2007.07.24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)


========== Driver Services (SafeList) ==========

DRV - [2010.07.06 20:14:26 | 000,077,184 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\lnsfw1.sys -- (lnsfw1)
DRV - [2010.07.06 20:14:26 | 000,045,824 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lnsfw.sys -- (SFilter)
DRV - [2010.06.28 23:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010.06.28 23:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010.06.28 23:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010.06.28 23:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010.06.28 23:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010.06.28 23:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010.01.20 16:53:06 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2010.01.20 16:53:04 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009.08.20 18:38:24 | 000,006,144 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\walvhid.sys -- (vhidmini)
DRV - [2009.03.08 19:15:14 | 000,006,144 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2008.08.14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs)
DRV - [2008.04.14 01:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007.05.23 04:21:12 | 000,016,272 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)
DRV - [2007.05.23 04:20:58 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2007.05.11 03:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)
DRV - [2007.03.05 06:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)
DRV - [2007.03.05 05:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)
DRV - [2007.03.05 05:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)
DRV - [2007.03.05 05:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)
DRV - [2007.03.05 05:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)
DRV - [2005.10.26 15:14:34 | 000,006,927 | R--- | M] (Conexant Systems, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UIUSYS.SYS -- (UIUSys)
DRV - [2005.03.04 11:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004.08.22 16:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004.08.22 16:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://google.com
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 95.169.190.2:80

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.lv/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.7
FF - prefs.js..extensions.enabledItems: elemhidehelper@adblockplus.org:1.0.6
FF - prefs.js..extensions.enabledItems: lv-LV@dictionaries.addons.mozilla.org:0.8.2
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.8.3
FF - prefs.js..extensions.enabledItems: ru@dictionaries.addons.mozilla.org:0.4.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.lv/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.26 03:21:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010.07.23 21:07:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010.07.20 15:10:21 | 000,000,000 | ---D | M]

[2010.06.01 17:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010.06.01 17:16:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.07.30 01:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions
[2010.07.06 20:31:09 | 000,000,000 | ---D | M] (Flagfox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2010.07.28 01:12:27 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2010.07.27 02:04:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010.07.15 00:46:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010.06.29 08:34:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010.04.30 17:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\elemhidehelper@adblockplus.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010.04.30 17:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\lv-LV@dictionaries.addons.mozilla.org
[2010.06.29 00:18:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\extensions\ru@dictionaries.addons.mozilla.org
[2010.07.27 00:11:30 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\icqplugin.xml
[2010.04.30 18:36:12 | 000,001,090 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7txt5o7n.default\searchplugins\u5mikslv.xml
[2010.07.30 01:28:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.07.14 19:23:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.14 19:23:32 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.07.20 16:21:09 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010.07.29 19:11:38 | 000,415,609 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14348 more lines...
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Look 'n' Stop] C:\Program Files\Soft4Ever\looknstop\looknstop.exe ()
O4 - HKLM..\Run: [MacrokeyManager] C:\WINDOWS\System32\WTMKM.exe ()
O4 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003..\Run: [dso32] C:\DOCUME~1\User\LOCALS~1\Temp\dsoqq.exe File not found
O4 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003..\Run: [EssentialPIM Pro Portable] C:\Program Files\EssentialPIM_Pro_Portable_3\EssentialPIM Pro Portable 3.54\EssentialPIM.exe (Astonsoft Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetFolders = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayContextMenu = 0
O7 - HKU\S-1-5-21-1409082233-839522115-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Добавить к существующему PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Добавить содержимое по ссылке в существующий файл PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать в Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Преобразовать содержимое по ссылке в PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1160486331281 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007.08.01 14:26:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010.07.28 03:15:42 | 000,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010.07.28 03:15:42 | 000,000,000 | ---D | M] - E:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010.07.30 03:25:07 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.29 19:21:01 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010.07.29 19:21:01 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010.07.29 19:21:00 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010.07.29 19:20:59 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010.07.29 19:20:57 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010.07.29 19:20:57 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010.07.29 19:20:57 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010.07.29 19:20:30 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010.07.29 19:20:30 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010.07.29 19:20:22 | 000,000,000 | ---D | C] -- C:\Program Files\Avast5
[2010.07.29 19:20:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010.07.29 15:45:15 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010.07.29 15:14:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\policija CELU
[2010.07.28 11:01:41 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010.07.28 03:15:42 | 000,000,000 | ---D | C] -- C:\autorun.inf
[2010.07.26 17:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\BLEEP
[2010.07.20 16:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit Software
[2010.07.20 16:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Foxit Software
[2010.07.20 15:10:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxit
[2010.07.20 15:09:52 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010.07.17 16:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010.07.17 16:25:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.07.17 16:25:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.07.17 16:25:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.07.17 16:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.07.15 20:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SCAN
[2010.07.15 20:39:20 | 000,608,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\COMCTL32.OCX
[2010.07.15 00:28:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010.07.14 19:25:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010.07.14 19:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010.07.14 19:23:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:42 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.14 19:23:28 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010.07.14 19:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Sun
[2010.07.13 11:42:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010.07.13 11:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010.07.08 15:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\EssentialPIM_Pro_Portable_3
[2010.07.08 14:10:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\EssentialPIM Pro
[2010.07.06 20:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\looknstop
[2010.07.06 20:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Soft4Ever
[2010.07.05 21:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\vsjakoe
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Bluetooth
[2010.07.05 12:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Bluetooth
[2010.07.05 10:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\SHABLON_VIBIRAJ
[2010.06.30 18:22:20 | 000,006,144 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\moufiltr.sys
[2010.06.30 18:22:15 | 000,134,888 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\WINTAB32.DLL
[2010.06.30 18:22:15 | 000,126,696 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\Tblfunc.dll
[2010.06.30 18:22:15 | 000,049,152 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\ATWinLog.dll
[2010.06.30 18:22:15 | 000,036,864 | ---- | C] (Aiptek) -- C:\WINDOWS\System32\UTBLFILT.DLL
[2010.06.30 18:22:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\udtablet
[2010.06.30 18:22:14 | 001,753,088 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TblRes.dll
[2010.06.30 18:22:14 | 001,515,240 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\TABLET.CPL
[2010.06.30 18:22:14 | 000,069,632 | ---- | C] (WALTOP International Corp.) -- C:\WINDOWS\System32\Funckey.dll
[2010.05.02 22:22:11 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2010.05.02 22:22:11 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.07.30 03:25:24 | 012,320,768 | ---- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010.07.30 03:25:08 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010.07.30 02:59:26 | 000,002,880 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010.07.29 19:20:57 | 000,002,617 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010.07.29 19:11:38 | 000,415,609 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.07.29 18:17:04 | 002,367,488 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.29 18:05:05 | 000,000,591 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.07.29 18:04:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.07.29 18:04:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.07.29 16:58:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010.07.29 14:58:58 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Application Data\winscp.rnd
[2010.07.29 11:51:38 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100729_1151.epim
[2010.07.29 11:51:27 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.07.28 17:24:15 | 000,000,470 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Irish.lnk
[2010.07.28 05:14:27 | 000,000,587 | ---- | M] () -- C:\Documents and Settings\User\Desktop\multi_channel_saturation.atn.zip
[2010.07.28 03:17:09 | 004,316,588 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010.07.28 01:10:06 | 000,005,120 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.27 23:34:38 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100727_2334.epim
[2010.07.27 14:44:36 | 000,000,090 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Про ходунки — ККМ Клуб.URL
[2010.07.27 11:36:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010.07.27 02:22:03 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010.07.26 23:24:14 | 000,343,552 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 17:28:05 | 000,000,052 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.24 02:40:46 | 000,036,696 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010.07.20 16:03:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.20 14:40:29 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\User\My Documents\INBOX.doc
[2010.07.17 16:31:53 | 000,000,231 | ---- | M] () -- C:\WINDOWS\system.ini
[2010.07.17 13:03:35 | 000,061,945 | ---- | M] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.14 19:23:31 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.14 19:23:31 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010.07.14 19:23:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010.07.14 19:23:31 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010.07.08 15:02:50 | 000,001,118 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 02:50:13 | 000,060,928 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SHILL offshore.doc
[2010.07.06 20:20:52 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:26 | 000,077,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:26 | 000,045,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | M] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 15:01:40 | 000,068,497 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.02 08:25:21 | 000,028,024 | ---- | M] () -- C:\WINDOWS\FontData.fdb
[2010.06.30 18:18:07 | 002,036,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.07.29 11:51:38 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100729_1151.epim
[2010.07.28 05:44:56 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\User\Desktop\multi_channel_saturation.atn
[2010.07.28 05:14:26 | 000,000,587 | ---- | C] () -- C:\Documents and Settings\User\Desktop\multi_channel_saturation.atn.zip
[2010.07.27 23:34:38 | 000,344,064 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100727_2334.epim
[2010.07.27 14:44:30 | 000,000,090 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Про ходунки — ККМ Клуб.URL
[2010.07.27 02:22:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010.07.26 23:24:14 | 000,343,552 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.backup_20100726_2324.epim
[2010.07.26 17:27:58 | 000,000,052 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable
[2010.07.26 11:28:55 | 000,061,945 | ---- | C] () -- C:\Documents and Settings\User\Desktop\corel.rar
[2010.07.25 01:12:00 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.20 16:03:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.07.08 15:02:50 | 000,001,118 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to EssentialPIM.lnk
[2010.07.08 15:00:16 | 002,367,488 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mylife.epim
[2010.07.06 20:20:52 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.07.06 20:14:25 | 000,077,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw1.sys
[2010.07.06 20:14:25 | 000,045,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\lnsfw.sys
[2010.07.06 20:14:25 | 000,036,924 | ---- | C] () -- C:\WINDOWS\System32\fwapi.dll
[2010.07.05 15:01:40 | 000,068,497 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ASERVISS.pdf
[2010.07.01 10:48:45 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\User\Desktop\WebMoney Cards.URL
[2010.06.30 18:22:15 | 000,515,816 | ---- | C] () -- C:\WINDOWS\System32\atwtusb.exe
[2010.06.30 18:22:14 | 000,118,504 | ---- | C] () -- C:\WINDOWS\System32\Calibration.exe
[2010.06.30 18:22:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\InstallService.exe
[2010.06.30 18:22:13 | 005,586,664 | ---- | C] () -- C:\WINDOWS\System32\WTMKM.exe
[2010.06.30 18:22:13 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\ATWTINK.DLL
[2010.06.30 18:22:13 | 000,126,696 | ---- | C] () -- C:\WINDOWS\RmTablet.exe
[2010.06.30 18:22:13 | 000,013,254 | ---- | C] () -- C:\WINDOWS\System32\Vista.ini
[2010.06.30 18:22:13 | 000,012,948 | ---- | C] () -- C:\WINDOWS\System32\XP_2000.ini
[2010.06.30 18:22:13 | 000,008,229 | ---- | C] () -- C:\WINDOWS\aiptbl.ini
[2010.06.30 18:22:13 | 000,001,192 | ---- | C] () -- C:\WINDOWS\System32\Hit.WAV
[2010.06.30 18:22:13 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\MKProfile.ini
[2010.06.22 10:03:04 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010.05.06 13:29:17 | 000,000,382 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010.04.29 15:24:33 | 000,014,545 | R--- | C] () -- C:\WINDOWS\System32\Photoshop Elements.ini
[2010.04.29 15:24:33 | 000,010,361 | R--- | C] () -- C:\WINDOWS\System32\PhotoImpact XL SE.ini
[2006.09.08 16:06:25 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006.09.08 16:06:24 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006.09.08 16:06:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2006.09.08 16:06:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2006.09.08 03:01:14 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2006.09.08 03:01:14 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2006.09.08 03:01:14 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2004.08.22 17:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2008.04.14 15:00:00 | 000,313,856 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\p2pgraph.dll
[2008.04.14 15:00:00 | 000,105,472 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\polstore.dll
[2008.04.14 15:00:00 | 000,192,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\qcap.dll
[2008.04.14 15:00:00 | 000,279,040 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\qdv.dll
[2008.04.14 15:00:00 | 000,733,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\qedwipes.dll
[2008.04.14 15:00:00 | 000,004,096 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rdpcfgex.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007.08.01 17:07:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007.08.01 17:07:22 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007.08.01 17:07:22 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E965A533
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41ADDB8A
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A064CECC
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
< End of report >


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 30 July 2010 - 06:29 AM

QUOTE
I have to say antivirus stopped this ggb6w.exe which is sitting in the root of each hard drive, but it did not deleted it.


That file isn't showing in your logs, are you able to delete them manually? if so please delete them all.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#11 pcgi

pcgi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 04 August 2010 - 04:06 AM

Hello Syler,
this is the log you requested:
Attached File  ComboFix.txt   16.86KB   3 downloads

QUOTE(syler @ Jul 30 2010, 02:29 PM) View Post
please delete them all.

and I did. Antivirus putted them into isolated space called 'chest' - that's why they didn't show up.

Edited by pcgi, 04 August 2010 - 04:09 AM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 05 August 2010 - 05:03 PM

QUOTE
And also, I am unable to see hidden files and folders, this option doesn't work for me.


Do you still have this problem? what exactly happens when you try to unhide them?. Do you have any other problems at the moment.

Please post the contents of the follwoing file:

c:\Qoobox\ComboFix-quarantined-files.txt


Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • ComboFix-quarantined-files.txt
  • ESET report
  • New DDS log

Thanks

unite.jpg


#13 pcgi

pcgi
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 09 August 2010 - 07:31 AM

Hello Syler! I hope you had a nice weekend.

I don't have problems with hidden files now. Don't have other problems.

c:\Qoobox\ComboFix-quarantined-files.txt

2010-08-04 08:59:12 . 2010-08-04 08:59:12 766 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-08-04 08:54:24 . 2010-08-04 08:54:24 6,561 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-08-04 08:43:56 . 2010-08-04 08:45:14 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2004-08-22 14:04:56 . 2004-08-22 14:04:56 69,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir

I couldn't save log file in eset scan, so saved only printscreen:
Attached File  eset.png   58.74KB   3 downloads

DDS log:
Attached File  DDS.zip   4.15KB   2 downloads

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 09 August 2010 - 10:28 AM

Hi pcgi, my weekend was fine thanks.

Nothing to worry about in the ESET report, your logs are looking fine now.

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremely important to keep windows up to date with the latest service pack and patches. This will
prevent you from getting the malware which uses vulnerabilities found in windows to exploit your computer.
The easiest way to do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Make sure all programs are updated
It is also possible for other programs on your computer to have security vulnerability that can allow malware
to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed
applications that are regularly patched to fix vulnerabilities. You can check these by visiting
Calendar of Updates or you can install Secunia PSI.

Install an AntiSpyware Program
It is recommended that you have an Anti Spyware program installed alongside your Ani Virus, to add an extra
layer of protection. You should update and scan with it as you would with your Anti Virus, Most Anti Spyware
programs don't have active protection, unless you have a paid version, so in that case you can have more
than one installed for scanning purposes but you also don't want to bloat your computer with these
programs, so I would recommend having no more than two installed.

SuperAntiSpyware
Spybot - Search & Destroy
Ad-aware

Install Sanboxie
Sandboxie is a great program to help protect you against malware, working inside Sandboxie will basically
mean that, what you are doing will not make a permenant changes to your system, unless you allow it too.
So you can be surfing the web inside Sandboxie then if you happen to stumble upon a bad site and get
infected, you can simply delete the Sanbox and all is gone. Having said that, it can not be considered 100%
secure as no program can be, but it can be a great help and is an excellent program. You can find a download
link and more information about the program here.

Secure your browsing
Firefox is generally considered to be a lot safer that Internet Explorer, I would recommend that you install
Firefox and install some addons that will make the browser even safer. You can download the latest version
of Firefox here, if you already have firefox these are some good addons.

Recommended addons
NoScript
Adblock Plus
WOT

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs. You can find a tutorial and download link here.

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions here.


Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:30 AM

Posted 12 August 2010 - 06:46 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users