Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer keeps hanging/crashing


  • This topic is locked This topic is locked
24 replies to this topic

#1 Takapon

Takapon

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 23 July 2010 - 08:37 AM

Hello BC people.

I need help in cleaning out possible malware files that makes my friends laptop's explorer.exe keep crashing. Well more precisely, it's a netbook. I've cleaned up some files that were obviously not legitimate windows files (I double checked they weren't system files using this http://www.bleepingcomputer.com/startups/) and have deleted these hoping it would fix it. But I had no luck and now I would like some help.

Laptop (netbook) specs:
Asus EeePC
Intel Atom CPU N280 @ 1.66Ghz
1GB RAM
Microsoft Windows XP SP3 Home Edition (Build 2600)

So far what I have done is run Avast! Free Antivirus and removed four files and manually looked into common malware directories (Local Settings, program files) and manually deleted files from the disk.

What I also noticed whilst the virus scan was running was that the laptop made the windows starting sounds at about 1.5-2hrs into the scan and then explorer.exe becomes stable after this. After noticing this I don't know what the cause of this is anymore.

Any further instructions/advice would be great.

Oh my, completely forgot about pasting that log! lol.

I've re-scanned it and here are the logs. Sorry about that!
And I got a BSOD after I scanned using GMER. I didn't get it last time, but thought i'd leave that on the table incase you needed to know so I restarted once and scanned DDS after that.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Boom Boom at 14:29:52.90 on Mon 26/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.659 [GMT 10:00]

AV: avast! Antivirus *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesAlwil SoftwareAvast5AvastSvc.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesEeePCACPIAsTray.exe
C:Program FilesEeePCACPIAsEPCMon.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesElantechETDCtrl.exe
C:Program FilesCyberLinkPower2GoCLMLSvc.exe
C:WINDOWSsystem32igfxext.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesDivXDivX UpdateDivXUpdate.exe
C:PROGRA~1ALWILS~1Avast5avastUI.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
C:Program FilesASUSEeePCSuper Hybrid EngineSuperHybridEngine.exe
C:Documents and SettingsBoom BoomLocal SettingsApplication DataGoogleUpdate1.2.183.29GoogleCrashHandler.exe
C:PROGRA~1WIDCOMMBLUETO~1BTSTAC~1.EXE
C:Documents and SettingsBoom BoomDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:program fileswindows livetoolbarwltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:program fileswindows livetoolbarwltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Power2GoExpress]
uRun: [EA Core] "c:program fileselectronic artseadmCore.exe" -silent
uRun: [AdobeUpdater] "c:program filescommon filesadobeupdater5AdobeUpdater.exe"
uRun: [Google Update] "c:documents and settingsboom boomlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AsusTray] c:program fileseeepcacpiAsTray.exe
mRun: [AsusEPCMonitor] c:program fileseeepcacpiAsEPCMon.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [ETDWare] c:program fileselantechETDCtrl.exe
mRun: [CLMLServer] "c:program filescyberlinkpower2goCLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:program filescyberlinkpower2gomuitransfermuistartmenu.exe" "c:program filescyberlinkpower2go" updatewithcreateonce "softwarecyberlinkpower2go6.0"
mRun: [UpdatePSTShortCut] "c:program filescyberlinkdvd suitemuitransfermuistartmenu.exe" "c:program filescyberlinkdvd suite" updatewithcreateonce "softwarecyberlinkPowerStarter"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [DivXUpdate] "c:program filesdivxdivx updateDivXUpdate.exe" /CHECKNOW
mRun: [avast5] c:progra~1alwils~1avast5avastUI.exe /nogui
StartupFolder: c:docume~1boombo~1startm~1programsstartuplimewi~1.lnk - c:documents and settingsboom boommy documentslimewireLimeWire.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupsuperh~1.lnk - c:program filesasuseeepcsuper hybrid engineSuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~3office12EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm
IE: Send To Bluetooth - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~3office12ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office12REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/SpinTopGamesLauncher.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:windowssystem32driversCLBStor.sys [2010-2-5 10368]
R1 aswSP;aswSP;c:windowssystem32driversaswSP.sys [2010-7-15 165456]
R2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [2010-7-15 17744]
R2 avast! Antivirus;avast! Antivirus;c:program filesalwil softwareavast5AvastSvc.exe [2010-7-15 40384]
R2 CLBUDFR;CyberLink UDF Filesystem;c:windowssystem32driversCLBUDFR.sys [2010-2-5 154368]
R2 fssfltr;FssFltr;c:windowssystem32driversfssfltr_tdi.sys [2009-7-11 54752]
R3 avast! Mail Scanner;avast! Mail Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-7-15 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:program filesalwil softwareavast5AvastSvc.exe [2010-7-15 40384]
S3 fsssvc;Windows Live Family Safety Service;c:program fileswindows livefamily safetyfsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-07-19 10:32:22 0 d-----w- c:program filesTrend Micro
2010-07-18 06:53:36 34688 -c--a-w- c:windowssystem32dllcachelbrtfdc.sys
2010-07-18 06:53:36 34688 ----a-w- c:windowssystem32driverslbrtfdc.sys
2010-07-18 06:53:32 8576 -c--a-w- c:windowssystem32dllcachei2omgmt.sys
2010-07-18 06:53:32 8576 ----a-w- c:windowssystem32driversi2omgmt.sys
2010-07-18 06:53:20 8192 -c--a-w- c:windowssystem32dllcachechanger.sys
2010-07-18 06:53:20 8192 ----a-w- c:windowssystem32driverschanger.sys
2010-07-15 13:45:25 38848 ----a-w- c:windowsavastSS.scr
2010-07-15 13:45:04 0 d-----w- c:docume~1alluse~1applic~1Alwil Software
2010-07-15 13:17:27 0 d-----w- c:docume~1boombo~1applic~1AVG9
2010-07-13 13:11:59 0 d-----w- c:program filesPocoMan
2010-07-13 11:51:23 0 d--h--w- C:$AVG
2010-07-13 11:15:41 120 ----a-w- c:windowsAbasameteqariw.dat
2010-07-13 11:15:41 0 ----a-w- c:windowsBbemakezak.bin
2010-07-13 11:06:19 0 d-----w- c:program filesAVG
2010-07-13 11:06:16 0 d-----w- c:docume~1alluse~1applic~1avg9
2010-07-08 13:25:55 0 ----a-w- c:windowsbb8tke4r41a7dyuyg8z5nriu.ini
2010-07-07 00:50:35 0 d-----w- C:games
2010-07-05 10:33:57 0 d-----w- c:documents and settingsboom boomWINDOWS

==================== Find3M ====================

2010-05-04 17:20:39 832512 ----a-w- c:windowssystem32wininet.dll
2010-05-04 17:20:34 78336 ------w- c:windowssystem32ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:windowssystem32corpol.dll
2010-05-02 05:22:50 1851264 ------w- c:windowssystem32win32k.sys
2010-04-30 02:21:07 4096 ----a-w- c:windowsd3dx.dat
2010-04-30 02:21:05 360580 ----a-w- c:windowseSellerateEngine.dll
2010-04-29 09:47:50 499712 ----a-w- c:windowssystem32msvcp71.dll
2010-04-29 09:47:50 348160 ----a-w- c:windowssystem32msvcr71.dll
2008-05-07 08:34:00 15523560 ----a-w- c:program filesU1 Setup.exe
2010-03-23 04:43:06 16384 --sha-w- c:windowstempcookiesindex.dat
2010-03-23 04:43:06 16384 --sha-w- c:windowstemphistoryhistory.ie5index.dat
2010-03-23 04:43:06 49152 --sha-w- c:windowstemptemporary internet filescontent.ie5index.dat

============= FINISH: 14:31:38.59 ===============



GMER:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-26 14:14:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1BOOMBO~1LOCALS~1Temppxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA1800CD2]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA1800B8E]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA1801142]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA180106C]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA1800764]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA1800C68]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA18006A4]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA1800708]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA1800D88]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA1801210]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA1800D48]
SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA1800EC8]

Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA180DB9C]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA180D9C0]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA180DAFA]
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A180DAFE SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP A180D9C4 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP A18095B4 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP A180AF6C SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A180DBA0 SystemRootSystem32DriversaswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:WINDOWSsystem32driverspciide.sys entry point in ".rsrc" section [0xF7B50814]

---- User code sections - GMER 1.0.15 ----

.text C:WINDOWSsystem32wuauclt.exe[796] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:WINDOWSsystem32wuauclt.exe[796] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:WINDOWSsystem32wuauclt.exe[796] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:WINDOWSSystem32svchost.exe[1100] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:WINDOWSSystem32svchost.exe[1100] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:WINDOWSSystem32svchost.exe[1100] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:WINDOWSSystem32svchost.exe[1100] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EC000A
.text C:WINDOWSExplorer.EXE[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:WINDOWSExplorer.EXE[1508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:WINDOWSExplorer.EXE[1508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

Device FileSystemNtfs Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice FileSystemNtfs Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice DriverTcpip DeviceIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Disk sectors - GMER 1.0.15 ----

Disk DeviceHarddisk0DR0 sector 01: copy of MBR
Disk DeviceHarddisk0DR0 sector 02: copy of MBR
Disk DeviceHarddisk0DR0 sector 03: copy of MBR
Disk DeviceHarddisk0DR0 sector 04: copy of MBR
Disk DeviceHarddisk0DR0 sector 05: copy of MBR
Disk DeviceHarddisk0DR0 sector 06: copy of MBR
Disk DeviceHarddisk0DR0 sector 07: copy of MBR
Disk DeviceHarddisk0DR0 sector 08: copy of MBR
Disk DeviceHarddisk0DR0 sector 09: copy of MBR
Disk DeviceHarddisk0DR0 sector 10: copy of MBR
Disk DeviceHarddisk0DR0 sector 11: copy of MBR
Disk DeviceHarddisk0DR0 sector 12: copy of MBR
Disk DeviceHarddisk0DR0 sector 13: copy of MBR
Disk DeviceHarddisk0DR0 sector 14: copy of MBR
Disk DeviceHarddisk0DR0 sector 15: copy of MBR
Disk DeviceHarddisk0DR0 sector 16: copy of MBR
Disk DeviceHarddisk0DR0 sector 17: copy of MBR
Disk DeviceHarddisk0DR0 sector 18: copy of MBR
Disk DeviceHarddisk0DR0 sector 19: copy of MBR
Disk DeviceHarddisk0DR0 sector 20: copy of MBR
Disk DeviceHarddisk0DR0 sector 21: copy of MBR
Disk DeviceHarddisk0DR0 sector 22: copy of MBR
Disk DeviceHarddisk0DR0 sector 23: copy of MBR
Disk DeviceHarddisk0DR0 sector 24: copy of MBR
Disk DeviceHarddisk0DR0 sector 25: copy of MBR
Disk DeviceHarddisk0DR0 sector 26: copy of MBR
Disk DeviceHarddisk0DR0 sector 27: copy of MBR
Disk DeviceHarddisk0DR0 sector 28: copy of MBR
Disk DeviceHarddisk0DR0 sector 29: copy of MBR
Disk DeviceHarddisk0DR0 sector 30: copy of MBR
Disk DeviceHarddisk0DR0 sector 31: copy of MBR
Disk DeviceHarddisk0DR0 sector 32: copy of MBR
Disk DeviceHarddisk0DR0 sector 33: copy of MBR
Disk DeviceHarddisk0DR0 sector 34: copy of MBR
Disk DeviceHarddisk0DR0 sector 35: copy of MBR
Disk DeviceHarddisk0DR0 sector 36: copy of MBR
Disk DeviceHarddisk0DR0 sector 37: copy of MBR
Disk DeviceHarddisk0DR0 sector 38: copy of MBR
Disk DeviceHarddisk0DR0 sector 39: copy of MBR
Disk DeviceHarddisk0DR0 sector 40: copy of MBR
Disk DeviceHarddisk0DR0 sector 41: copy of MBR
Disk DeviceHarddisk0DR0 sector 42: copy of MBR
Disk DeviceHarddisk0DR0 sector 43: copy of MBR
Disk DeviceHarddisk0DR0 sector 44: copy of MBR
Disk DeviceHarddisk0DR0 sector 45: copy of MBR
Disk DeviceHarddisk0DR0 sector 46: copy of MBR
Disk DeviceHarddisk0DR0 sector 47: copy of MBR
Disk DeviceHarddisk0DR0 sector 48: copy of MBR
Disk DeviceHarddisk0DR0 sector 49: copy of MBR
Disk DeviceHarddisk0DR0 sector 50: copy of MBR
Disk DeviceHarddisk0DR0 sector 51: copy of MBR
Disk DeviceHarddisk0DR0 sector 52: copy of MBR
Disk DeviceHarddisk0DR0 sector 53: copy of MBR
Disk DeviceHarddisk0DR0 sector 54: copy of MBR
Disk DeviceHarddisk0DR0 sector 55: copy of MBR
Disk DeviceHarddisk0DR0 sector 56: copy of MBR
Disk DeviceHarddisk0DR0 sector 57: copy of MBR
Disk DeviceHarddisk0DR0 sector 58: copy of MBR
Disk DeviceHarddisk0DR0 sector 59: copy of MBR
Disk DeviceHarddisk0DR0 sector 60: copy of MBR
Disk DeviceHarddisk0DR0 sector 61: copy of MBR
Disk DeviceHarddisk0DR0 sector 62: rootkit-like behavior; copy of MBR
Disk DeviceHarddisk0DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:WINDOWSsystem32driverspciide.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Pandy, 26 July 2010 - 02:25 PM.
Merged and moved from AII as the OP added a DDS log ~Pandy


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 30 July 2010 - 10:30 AM

Hello Takapon, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.





We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • MBAM log
  • Gmer log
  • OTL.txt
  • Extra.txt

Thanks

unite.jpg


#3 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 01 August 2010 - 09:15 AM

Hey Syler,

Thanks for the reply, sorry I couldn't reply sooner I had a birthday party and wasn't able to check back here.

I ran scans for the MBAM and deleted 5 files. I then ran GMER but I had hardware problems of some sort and ended up getting BSODs and restarts so I went into safe mode and disabled bluetooth/wireless but it still didnt work. I went into msconfig and disabled AV programs from starting but that didnt really fix it either so I think I will try and uninstall the AV tomorrow and hopefully get a scan of that. OTL was successful, but I think i'll re-scan everything after I try again tomorrow.

Any suggestions as to why I may be experiencing the BSODs is greatly appreciated. I'm not sure if there is a better way of disabling the wifi/bluetooth/AV, I was thinking maybe you would know something more about it.

Cheers,

Taka

Edited by Takapon, 01 August 2010 - 09:16 AM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 02 August 2010 - 05:45 AM

Hi Taka,

QUOTE
Any suggestions as to why I may be experiencing the BSODs is greatly appreciated


It is probably being caused by the malware, it happens quite often. If you can't get Gmer to complete
just leave it for now and post the other logs, cheers.

unite.jpg


#5 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 02 August 2010 - 06:01 AM

Hey Syler,

I managed to get a GMER log so here are the logs:




MBAM (1st scan)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/08/2010 9:33:20 PM
mbam-log-2010-08-01 (21-33-20).txt

Scan type: Quick scan
Objects scanned: 130805
Time elapsed: 15 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




MBAM (2nd scan)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/08/2010 6:21:20 PM
mbam-log-2010-08-02 (18-21-20).txt

Scan type: Quick scan
Objects scanned: 123563
Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-02 19:52:10
Windows 5.1.2600 Service Pack 3
Running: p6ou4q6w.exe; Driver: C:\DOCUME~1\BOOMBO~1\LOCALS~1\Temp\pxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA18A5CD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA18A5B8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA18A6142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA18A606C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA18A5764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA18A5C68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA18A56A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA18A5708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA18A5D88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA18A6210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA18A5D48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA18A5EC8]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7B50814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00F2000A
.text C:\WINDOWS\System32\svchost.exe[1056] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F6000A
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[716] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[716] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A0F7FD20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 864A6EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----





OTL.txt
OTL logfile created on: 2/08/2010 8:42:15 PM - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Boom Boom\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,015.00 Mb Total Physical Memory | 554.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 47.23 Gb Free Space | 65.53% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUMI
Current User Name: Boom Boom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
PRC - [2010/07/17 10:32:38 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/04/13 08:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/01/23 17:49:53 | 000,416,768 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDCtrl.exe
PRC - [2008/12/05 03:38:06 | 000,114,688 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2008/11/15 04:55:56 | 000,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2008/07/18 18:52:16 | 000,104,936 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2008/05/21 15:56:24 | 000,094,208 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2008/04/14 22:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/19 13:07:00 | 000,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe


========== Modules (SafeList) ==========

MOD - [2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
MOD - [2009/02/08 01:26:08 | 000,268,800 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDApix.dll
MOD - [2008/04/14 22:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/08/05 21:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)


========== Driver Services (SafeList) ==========

DRV - [2010/06/29 06:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/29 06:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/29 06:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/29 06:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/29 06:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/29 06:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/08/05 21:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/02/13 18:49:30 | 005,029,376 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/02/13 00:59:44 | 000,093,696 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/10/20 17:23:22 | 000,154,368 | ---- | M] (CyberLink Corporation.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\CLBUDFR.sys -- (CLBUDFR)
DRV - [2008/10/20 17:23:22 | 000,010,368 | ---- | M] (Cyberlink Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\CLBStor.sys -- (CLBStor)
DRV - [2008/09/24 03:15:00 | 000,038,400 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2008/09/19 09:44:38 | 001,326,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/12 15:32:56 | 000,327,192 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/08/20 00:16:36 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/20 00:16:28 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/08/12 00:14:12 | 001,752,704 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2008/07/24 19:37:10 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/30 13:46:12 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/04/14 22:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2008/04/14 00:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/09 05:59:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/10 20:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/02/04 19:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/02/04 19:57:30 | 000,037,032 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2007/12/19 13:32:00 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577


[2010/02/07 09:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boom Boom\Application Data\Mozilla\Extensions
[2010/02/07 09:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boom Boom\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2008/04/14 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [Power2GoExpress] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\Boom Boom\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Documents and Settings\Boom Boom\My Documents\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab (SpinTop Games Launcher)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - Unable to open key or key not present!
O32 - AutoRun File - [2009/07/11 06:40:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "avast! Web Scanner"
MsConfig - Services: "avast! Mail Scanner"
MsConfig - Services: "avast! Antivirus"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe - (Broadcom Corporation.)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AsusACPIServer - hkey= - key= - C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
MsConfig - StartUpReg: avast5 - hkey= - key= - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69819404975603712)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/02 20:32:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
[2010/08/01 21:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Application Data\Malwarebytes
[2010/08/01 21:15:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/01 21:15:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/01 21:15:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/01 21:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/22 12:15:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\My Documents\OneNote Notebooks
[2010/07/22 11:56:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Desktop\HJT
[2010/07/19 20:32:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/18 16:53:36 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/07/18 16:53:36 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/07/18 16:53:32 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/07/18 16:53:20 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/07/18 16:53:20 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/07/16 18:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\turdbvyos
[2010/07/16 17:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/07/15 23:52:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/07/15 23:47:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/07/15 23:47:03 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/07/15 23:46:40 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/07/15 23:46:39 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/07/15 23:46:37 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/07/15 23:46:34 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/07/15 23:46:30 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/07/15 23:46:29 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/07/15 23:46:29 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/07/15 23:45:25 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/07/15 23:45:23 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/07/15 23:45:04 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/15 23:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/15 23:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Application Data\AVG9
[2010/07/13 23:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\PocoMan
[2010/07/13 21:51:23 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/07/13 21:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E}
[2010/07/13 21:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\epnieqkke
[2010/07/13 21:06:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/07/13 21:06:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/13 20:50:00 | 115,508,392 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Boom Boom\My Documents\avg_iswt_stf_all_90_791a2750_avalanche.exe
[2010/07/09 00:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/09 00:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/08 22:40:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\nelwltnkd
[2010/07/08 20:43:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/08 20:43:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 10:50:35 | 000,000,000 | ---D | C] -- C:\games
[2010/07/05 20:33:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\WINDOWS
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/02 20:37:16 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
[2010/08/02 20:08:38 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Boom Boom\NTUSER.DAT
[2010/08/02 18:06:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/02 18:06:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/02 17:59:35 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/08/02 17:59:34 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/02 17:59:34 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/01 21:33:55 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Boom Boom\ntuser.ini
[2010/08/01 21:15:17 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/01 21:12:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
[2010/07/23 23:38:27 | 008,514,516 | -H-- | M] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\IconCache.db
[2010/07/23 14:53:00 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/07/22 11:56:03 | 000,001,469 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\HijackThis.lnk
[2010/07/19 17:23:21 | 000,000,007 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\cmd1.bat
[2010/07/19 01:09:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/19 00:01:00 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/07/18 10:37:01 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
[2010/07/17 10:53:08 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/07/16 17:28:42 | 000,002,316 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\Google Chrome.lnk
[2010/07/16 17:28:42 | 000,002,294 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/15 23:46:42 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 23:46:30 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/15 23:46:20 | 000,001,558 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\PocoMan!.lnk
[2010/07/15 23:44:08 | 053,785,488 | ---- | M] () -- C:\Documents and Settings\Boom Boom\My Documents\setup_av_free.exe
[2010/07/14 00:27:08 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/13 23:11:56 | 001,003,520 | ---- | M] () -- C:\Documents and Settings\Boom Boom\My Documents\poco-w95.exe
[2010/07/13 21:15:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Abasameteqariw.dat
[2010/07/13 21:15:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bbemakezak.bin
[2010/07/13 20:50:00 | 115,508,392 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Boom Boom\My Documents\avg_iswt_stf_all_90_791a2750_avalanche.exe
[2010/07/09 00:11:27 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/09 00:11:27 | 000,442,024 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/09 00:11:27 | 000,071,810 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/08 23:25:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\bb8tke4r41a7dyuyg8z5nriu.ini
[2010/07/08 09:22:04 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/07 10:50:36 | 000,000,587 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\Happyland Adventures.lnk
[2010/07/06 15:43:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/01 21:15:17 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/23 14:34:50 | 000,148,713 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\FASTWiz.log
[2010/07/22 11:56:03 | 000,001,469 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\HijackThis.lnk
[2010/07/19 17:23:21 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\cmd1.bat
[2010/07/16 17:28:42 | 000,002,316 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\Google Chrome.lnk
[2010/07/16 17:28:42 | 000,002,294 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/16 17:27:33 | 000,000,994 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
[2010/07/16 17:27:32 | 000,000,942 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
[2010/07/15 23:46:42 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 23:44:08 | 053,785,488 | ---- | C] () -- C:\Documents and Settings\Boom Boom\My Documents\setup_av_free.exe
[2010/07/14 00:27:08 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/13 23:15:00 | 001,003,520 | ---- | C] () -- C:\Documents and Settings\Boom Boom\My Documents\poco-w95.exe
[2010/07/13 23:11:59 | 000,001,558 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\PocoMan!.lnk
[2010/07/13 21:15:41 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Abasameteqariw.dat
[2010/07/13 21:15:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bbemakezak.bin
[2010/07/08 23:25:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\bb8tke4r41a7dyuyg8z5nriu.ini
[2010/07/07 10:50:36 | 000,000,587 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\Happyland Adventures.lnk
[2009/07/11 09:38:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/07/11 07:57:07 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/07/11 07:54:03 | 001,752,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2009/07/11 07:54:03 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2009/07/11 06:27:26 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/07/11 06:27:17 | 000,044,952 | ---- | C] () -- C:\WINDOWS\awedufodiziresox.dll
[2008/11/15 08:12:56 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2008/09/02 21:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/07/31 09:31:52 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2005/02/18 02:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/18 02:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/15 03:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/07/10 23:33:32 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/07/10 23:33:32 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/07/10 23:33:32 | 000,913,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:D1B5B4F1
< End of report >






Extras.txt (i'm not sure why but when I re-scanned it, it didn't create a new one. I thought it appended the old one but... I'm not sure what happened, so i'll paste in my first copy. Thats why the OTL is for run 5 cause I ran it so many times)


OTL Extras logfile created on: 1/08/2010 11:07:37 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Boom Boom\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,015.00 Mb Total Physical Memory | 673.00 Mb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 47.32 Gb Free Space | 65.67% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUMI
Current User Name: Boom Boom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Documents and Settings\Boom Boom\My Documents\LimeWire\LimeWire.exe" = C:\Documents and Settings\Boom Boom\My Documents\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\8BallClub\GameDirector.exe" = C:\Program Files\8BallClub\GameDirector.exe:*:Enabled:8BallClub Game -- File not found
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player -- File not found
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22D90DD2-8654-4E8A-B2F1-B6B86A2BF390}" = CyberLink UDF Reader 5.0
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}" = Eee Instant Key
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"avast5" = avast! Free Antivirus
"DivX Setup.divx.com" = DivX Setup
"Eee Storage" = Eee Storage
"Elantech" = ETDWare PS/2-x86 7.0.4.3 WHQL
"Happyland Adventures - Xmas Edition_is1" = Happyland Adventures - Xmas Edition v1.3.1
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"LimeWire" = LimeWire 5.4.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"USB 2.0 1.3M UVC WebCam" = USB 2.0 1.3M UVC WebCam
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18/07/2010 7:37:09 PM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 19/07/2010 4:49:03 AM | Computer Name = SUMI | Source = Application Hang | ID = 1002
Description = Hanging application AsAcpiSvr.exe, version 5.1.1.4009, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 19/07/2010 4:53:39 AM | Computer Name = SUMI | Source = Application Hang | ID = 1002
Description = Hanging application AsAcpiSvr.exe, version 5.1.1.4009, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 23/07/2010 12:37:06 AM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 23/07/2010 7:37:05 AM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 23/07/2010 9:37:07 AM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 25/07/2010 7:37:05 AM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 25/07/2010 11:38:35 PM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

Error - 26/07/2010 12:03:16 AM | Computer Name = SUMI | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/08/2010 7:37:06 AM | Computer Name = SUMI | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 1/08/2010 8:23:50 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/08/2010 8:23:50 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/08/2010 8:48:31 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/08/2010 8:48:31 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/08/2010 8:54:13 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/08/2010 8:54:13 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/08/2010 8:56:40 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/08/2010 8:56:40 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/08/2010 9:02:13 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/08/2010 9:02:13 AM | Computer Name = SUMI | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 02 August 2010 - 06:28 AM

I can see the problem there, let's try and get it removed now.

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If any suspicious items are found, let it skip them for now
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

unite.jpg


#7 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 02 August 2010 - 08:01 AM

Hey Syler,

Here's the log:


2010/08/02 22:56:21.0656 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/08/02 22:56:21.0656 ================================================================================
2010/08/02 22:56:21.0656 SystemInfo:
2010/08/02 22:56:21.0656
2010/08/02 22:56:21.0656 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/02 22:56:21.0656 Product type: Workstation
2010/08/02 22:56:21.0656 ComputerName: SUMI
2010/08/02 22:56:21.0656 UserName: Boom Boom
2010/08/02 22:56:21.0656 Windows directory: C:\WINDOWS
2010/08/02 22:56:21.0656 System windows directory: C:\WINDOWS
2010/08/02 22:56:21.0656 Processor architecture: Intel x86
2010/08/02 22:56:21.0656 Number of processors: 2
2010/08/02 22:56:21.0656 Page size: 0x1000
2010/08/02 22:56:21.0656 Boot type: Normal boot
2010/08/02 22:56:21.0656 ================================================================================
2010/08/02 22:56:22.0109 Initialize success
2010/08/02 22:56:25.0921 ================================================================================
2010/08/02 22:56:25.0921 Scan started
2010/08/02 22:56:25.0921 Mode: Manual;
2010/08/02 22:56:25.0921 ================================================================================
2010/08/02 22:56:27.0718 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/08/02 22:56:27.0921 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/02 22:56:27.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/02 22:56:28.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/02 22:56:28.0265 AR5416 (7d53e5646ba23fd51296f7ef8979a000) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/08/02 22:56:28.0390 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2010/08/02 22:56:28.0453 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/08/02 22:56:28.0500 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/08/02 22:56:28.0531 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/08/02 22:56:28.0578 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
2010/08/02 22:56:28.0625 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/08/02 22:56:28.0687 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/02 22:56:28.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/02 22:56:28.0968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/02 22:56:29.0062 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
2010/08/02 22:56:29.0140 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/08/02 22:56:29.0234 BTKRNL (70455baffc078b6152d1e52376296467) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/08/02 22:56:29.0281 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/08/02 22:56:29.0296 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/08/02 22:56:29.0375 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/08/02 22:56:29.0421 BTWUSB (2cfc2bd8785f82a42fcad83de1fa5a36) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/08/02 22:56:29.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/02 22:56:29.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/02 22:56:29.0562 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2010/08/02 22:56:29.0625 CLBStor (cc82215750723d839dbc5d2d625fc130) C:\WINDOWS\system32\drivers\CLBStor.sys
2010/08/02 22:56:29.0656 CLBUDFR (c002f79e6ee9bdf442514435c3d2bcb6) C:\WINDOWS\system32\drivers\CLBUDFR.sys
2010/08/02 22:56:29.0734 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/02 22:56:29.0765 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/02 22:56:29.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/02 22:56:29.0937 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/02 22:56:30.0015 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/02 22:56:30.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/02 22:56:30.0125 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/02 22:56:30.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/02 22:56:30.0281 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/02 22:56:30.0359 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/08/02 22:56:30.0390 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/02 22:56:30.0484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/02 22:56:30.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/02 22:56:30.0640 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/02 22:56:30.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/02 22:56:30.0859 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/08/02 22:56:30.0937 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/02 22:56:31.0203 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/08/02 22:56:31.0406 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\drivers\iaStor.sys
2010/08/02 22:56:31.0671 IntcAzAudAddService (816a4f17dffdeeb01896fe05991838e0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/02 22:56:31.0828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/02 22:56:31.0859 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/02 22:56:31.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/02 22:56:32.0031 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/02 22:56:32.0093 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/02 22:56:32.0156 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/08/02 22:56:32.0187 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/02 22:56:32.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/02 22:56:32.0328 Ktp (85b6d85c044e3df77e92b5a7b265008f) C:\WINDOWS\system32\DRIVERS\ETD.sys
2010/08/02 22:56:32.0390 L1e (fa46f5d09edf93e0c71fe6500fe3f4ae) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2010/08/02 22:56:32.0468 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010/08/02 22:56:32.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/02 22:56:32.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/02 22:56:32.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/02 22:56:32.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/02 22:56:32.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/02 22:56:32.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/02 22:56:33.0078 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/02 22:56:33.0125 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/02 22:56:33.0156 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/02 22:56:33.0250 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/02 22:56:33.0328 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/02 22:56:33.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/02 22:56:33.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/02 22:56:33.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/02 22:56:33.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/02 22:56:33.0578 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/02 22:56:33.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/02 22:56:33.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/02 22:56:33.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/02 22:56:33.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/02 22:56:33.0921 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/02 22:56:33.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/02 22:56:34.0000 PCIIde (d8027a9fa7df1240050e15c02eee3c6d) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/02 22:56:34.0000 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: d8027a9fa7df1240050e15c02eee3c6d, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/08/02 22:56:34.0000 PCIIde - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/02 22:56:34.0031 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/02 22:56:34.0218 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/02 22:56:34.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/02 22:56:34.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/02 22:56:34.0312 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/02 22:56:34.0453 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/02 22:56:34.0484 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/02 22:56:34.0562 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/02 22:56:34.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/02 22:56:34.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/02 22:56:34.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/02 22:56:34.0937 SNP2UVC (060f51141b20b8156804446a04ab8b2a) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2010/08/02 22:56:35.0125 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/02 22:56:35.0218 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/02 22:56:35.0343 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/02 22:56:35.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/02 22:56:35.0531 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/02 22:56:35.0609 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/02 22:56:35.0687 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/02 22:56:35.0750 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/02 22:56:35.0890 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/02 22:56:35.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/02 22:56:35.0984 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/02 22:56:36.0062 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/02 22:56:36.0078 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/02 22:56:36.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/02 22:56:36.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/02 22:56:36.0265 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/02 22:56:36.0343 ================================================================================
2010/08/02 22:56:36.0343 Scan finished
2010/08/02 22:56:36.0343 ================================================================================
2010/08/02 22:56:36.0390 Detected object count: 1
2010/08/02 22:56:46.0500 PCIIde (d8027a9fa7df1240050e15c02eee3c6d) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/02 22:56:46.0500 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: d8027a9fa7df1240050e15c02eee3c6d, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/08/02 22:56:48.0078 Backup copy found, using it..
2010/08/02 22:56:48.0078 C:\WINDOWS\system32\DRIVERS\pciide.sys - will be cured after reboot
2010/08/02 22:56:48.0078 Rootkit.Win32.TDSS.tdl3(PCIIde) - User select action: Cure


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 02 August 2010 - 10:22 AM

Hi Taka,

Their seems to be a small part of the TDSSKiller log missing at the end, it should say if the removal was succsesfull, can
you post that little bit please.

Go here and download appmgmts.dll then place it in the folder C:\windows\system32


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
    O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [Power2GoExpress] File not found
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2010/07/16 18:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\turdbvyos
    [2010/07/13 21:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E}
    [2010/07/13 21:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\epnieqkke
    [2010/07/08 22:40:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\nelwltnkd
    [2010/07/13 21:15:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Abasameteqariw.dat
    [2010/07/13 21:15:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bbemakezak.bin
    [2010/07/08 23:25:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\bb8tke4r41a7dyuyg8z5nriu.ini
    [2009/07/11 06:27:17 | 000,044,952 | ---- | C] () -- C:\WINDOWS\awedufodiziresox.dll
    :Reg
    [HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=""
    :Commands
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.

unite.jpg


#9 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 04 August 2010 - 07:34 AM

Hey Syler,

I looked at all the TDS logs and there was an extra line supposedly missing from my last post. I'll post the whole log again just incase

TDS log:

2010/08/02 22:56:21.0656 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/08/02 22:56:21.0656 ================================================================================
2010/08/02 22:56:21.0656 SystemInfo:
2010/08/02 22:56:21.0656
2010/08/02 22:56:21.0656 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/02 22:56:21.0656 Product type: Workstation
2010/08/02 22:56:21.0656 ComputerName: SUMI
2010/08/02 22:56:21.0656 UserName: Boom Boom
2010/08/02 22:56:21.0656 Windows directory: C:\WINDOWS
2010/08/02 22:56:21.0656 System windows directory: C:\WINDOWS
2010/08/02 22:56:21.0656 Processor architecture: Intel x86
2010/08/02 22:56:21.0656 Number of processors: 2
2010/08/02 22:56:21.0656 Page size: 0x1000
2010/08/02 22:56:21.0656 Boot type: Normal boot
2010/08/02 22:56:21.0656 ================================================================================
2010/08/02 22:56:22.0109 Initialize success
2010/08/02 22:56:25.0921 ================================================================================
2010/08/02 22:56:25.0921 Scan started
2010/08/02 22:56:25.0921 Mode: Manual;
2010/08/02 22:56:25.0921 ================================================================================
2010/08/02 22:56:27.0718 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/08/02 22:56:27.0921 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/02 22:56:27.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/08/02 22:56:28.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/02 22:56:28.0265 AR5416 (7d53e5646ba23fd51296f7ef8979a000) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/08/02 22:56:28.0390 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2010/08/02 22:56:28.0453 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/08/02 22:56:28.0500 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/08/02 22:56:28.0531 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/08/02 22:56:28.0578 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
2010/08/02 22:56:28.0625 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/08/02 22:56:28.0687 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/02 22:56:28.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/02 22:56:28.0968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/02 22:56:29.0062 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
2010/08/02 22:56:29.0140 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/08/02 22:56:29.0234 BTKRNL (70455baffc078b6152d1e52376296467) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/08/02 22:56:29.0281 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/08/02 22:56:29.0296 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/08/02 22:56:29.0375 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/08/02 22:56:29.0421 BTWUSB (2cfc2bd8785f82a42fcad83de1fa5a36) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/08/02 22:56:29.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/02 22:56:29.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/02 22:56:29.0562 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2010/08/02 22:56:29.0625 CLBStor (cc82215750723d839dbc5d2d625fc130) C:\WINDOWS\system32\drivers\CLBStor.sys
2010/08/02 22:56:29.0656 CLBUDFR (c002f79e6ee9bdf442514435c3d2bcb6) C:\WINDOWS\system32\drivers\CLBUDFR.sys
2010/08/02 22:56:29.0734 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/08/02 22:56:29.0765 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/08/02 22:56:29.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/02 22:56:29.0937 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/02 22:56:30.0015 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/02 22:56:30.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/02 22:56:30.0125 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/02 22:56:30.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/02 22:56:30.0281 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/02 22:56:30.0359 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/08/02 22:56:30.0390 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/02 22:56:30.0484 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/02 22:56:30.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/02 22:56:30.0640 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/02 22:56:30.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/02 22:56:30.0859 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/08/02 22:56:30.0937 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/02 22:56:31.0203 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/08/02 22:56:31.0406 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\drivers\iaStor.sys
2010/08/02 22:56:31.0671 IntcAzAudAddService (816a4f17dffdeeb01896fe05991838e0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/08/02 22:56:31.0828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/02 22:56:31.0859 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/02 22:56:31.0937 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/02 22:56:32.0031 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/02 22:56:32.0093 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/02 22:56:32.0156 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/08/02 22:56:32.0187 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/02 22:56:32.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/02 22:56:32.0328 Ktp (85b6d85c044e3df77e92b5a7b265008f) C:\WINDOWS\system32\DRIVERS\ETD.sys
2010/08/02 22:56:32.0390 L1e (fa46f5d09edf93e0c71fe6500fe3f4ae) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2010/08/02 22:56:32.0468 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010/08/02 22:56:32.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/02 22:56:32.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/02 22:56:32.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/02 22:56:32.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/02 22:56:32.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/02 22:56:32.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/02 22:56:33.0078 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/02 22:56:33.0125 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/02 22:56:33.0156 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/02 22:56:33.0250 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/02 22:56:33.0328 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/02 22:56:33.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/02 22:56:33.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/02 22:56:33.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/02 22:56:33.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/02 22:56:33.0578 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/02 22:56:33.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/02 22:56:33.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/02 22:56:33.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/02 22:56:33.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/02 22:56:33.0921 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/02 22:56:33.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/02 22:56:34.0000 PCIIde (d8027a9fa7df1240050e15c02eee3c6d) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/02 22:56:34.0000 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: d8027a9fa7df1240050e15c02eee3c6d, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/08/02 22:56:34.0000 PCIIde - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/02 22:56:34.0031 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/02 22:56:34.0218 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/02 22:56:34.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/02 22:56:34.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/02 22:56:34.0312 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/02 22:56:34.0453 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/02 22:56:34.0484 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/02 22:56:34.0562 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/02 22:56:34.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/02 22:56:34.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/02 22:56:34.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/02 22:56:34.0937 SNP2UVC (060f51141b20b8156804446a04ab8b2a) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2010/08/02 22:56:35.0125 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/02 22:56:35.0218 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/02 22:56:35.0343 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/02 22:56:35.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/02 22:56:35.0531 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/02 22:56:35.0609 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/02 22:56:35.0687 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/02 22:56:35.0750 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/02 22:56:35.0890 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/02 22:56:35.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/02 22:56:35.0984 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/02 22:56:36.0062 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/02 22:56:36.0078 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/02 22:56:36.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/02 22:56:36.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/02 22:56:36.0265 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/02 22:56:36.0343 ================================================================================
2010/08/02 22:56:36.0343 Scan finished
2010/08/02 22:56:36.0343 ================================================================================
2010/08/02 22:56:36.0390 Detected object count: 1
2010/08/02 22:56:46.0500 PCIIde (d8027a9fa7df1240050e15c02eee3c6d) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/02 22:56:46.0500 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pciide.sys. Real md5: d8027a9fa7df1240050e15c02eee3c6d, Fake md5: ccf5f451bb1a5a2a522a76e670000ff0
2010/08/02 22:56:48.0078 Backup copy found, using it..
2010/08/02 22:56:48.0078 C:\WINDOWS\system32\DRIVERS\pciide.sys - will be cured after reboot
2010/08/02 22:56:48.0078 Rootkit.Win32.TDSS.tdl3(PCIIde) - User select action: Cure
2010/08/02 22:58:04.0687 Deinitialize success





First OTL Log:


All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Run\\EA Core deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\turdbvyos folder moved successfully.
C:\Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E}\chrome\content folder moved successfully.
C:\Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E}\chrome folder moved successfully.
C:\Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E} folder moved successfully.
C:\Documents and Settings\Boom Boom\Local Settings\Application Data\epnieqkke folder moved successfully.
C:\Documents and Settings\Boom Boom\Local Settings\Application Data\nelwltnkd folder moved successfully.
C:\WINDOWS\Abasameteqariw.dat moved successfully.
C:\WINDOWS\Bbemakezak.bin moved successfully.
C:\WINDOWS\bb8tke4r41a7dyuyg8z5nriu.ini moved successfully.
C:\WINDOWS\awedufodiziresox.dll moved successfully.
========== REGISTRY ==========
HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\"ProxyServer"|"" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: All Users

User: Boom Boom
->Temp folder emptied: 587498327 bytes
->Temporary Internet Files folder emptied: 39833798 bytes
->Java cache emptied: 42634248 bytes
->Google Chrome cache emptied: 856432 bytes
->Flash cache emptied: 69721 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: LocalService
->Temp folder emptied: 70235 bytes
->Temporary Internet Files folder emptied: 37250 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 590226 bytes
->Java cache emptied: 26549 bytes
->Flash cache emptied: 3366 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 130605241 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64645650 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 903642286 bytes

Total Files Cleaned = 1,689.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Boom Boom
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08042010_221552

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






Second OTL after reboot:


OTL logfile created on: 4/08/2010 10:22:31 PM - Run 6
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Boom Boom\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,015.00 Mb Total Physical Memory | 705.00 Mb Available Physical Memory | 69.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 48.80 Gb Free Space | 67.73% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUMI
Current User Name: Boom Boom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
PRC - [2010/07/17 10:32:38 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/04/13 08:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/01/23 17:49:53 | 000,416,768 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDCtrl.exe
PRC - [2008/11/15 04:55:56 | 000,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2008/07/18 18:52:16 | 000,104,936 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2008/05/21 15:56:24 | 000,094,208 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2008/04/14 22:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/19 13:07:00 | 000,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe


========== Modules (SafeList) ==========

MOD - [2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
MOD - [2008/04/14 22:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/29 06:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Disabled | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/08/05 21:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)


========== Driver Services (SafeList) ==========

DRV - [2010/06/29 06:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/29 06:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/29 06:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/29 06:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/29 06:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/29 06:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/08/05 21:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/02/13 18:49:30 | 005,029,376 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/02/13 00:59:44 | 000,093,696 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/10/20 17:23:22 | 000,154,368 | ---- | M] (CyberLink Corporation.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\CLBUDFR.sys -- (CLBUDFR)
DRV - [2008/10/20 17:23:22 | 000,010,368 | ---- | M] (Cyberlink Co.,Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\CLBStor.sys -- (CLBStor)
DRV - [2008/09/24 03:15:00 | 000,038,400 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2008/09/19 09:44:38 | 001,326,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/12 15:32:56 | 000,327,192 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/08/20 00:16:36 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/20 00:16:28 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/08/12 00:14:12 | 001,752,704 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2008/07/24 19:37:10 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/30 13:46:12 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/04/14 22:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2008/04/14 00:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/09 05:59:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/10 20:18:42 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/02/04 19:57:44 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/02/04 19:57:30 | 000,037,032 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)
DRV - [2007/12/19 13:32:00 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


[2010/02/07 09:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boom Boom\Application Data\Mozilla\Extensions
[2010/02/07 09:27:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boom Boom\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2008/04/14 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\Boom Boom\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Documents and Settings\Boom Boom\My Documents\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2946036855-2774403157-1909545103-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab (SpinTop Games Launcher)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - Unable to open key or key not present!
O32 - AutoRun File - [2009/07/11 06:40:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/04 22:15:52 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/04 22:14:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Desktop\New Folder
[2010/08/02 22:17:18 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Boom Boom\Desktop\TDSSKiller.exe
[2010/08/02 20:32:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
[2010/08/01 21:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Application Data\Malwarebytes
[2010/08/01 21:15:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/01 21:15:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/01 21:15:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/01 21:15:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/22 12:15:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\My Documents\OneNote Notebooks
[2010/07/22 11:56:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Desktop\HJT
[2010/07/19 20:32:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/18 16:53:36 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/07/18 16:53:36 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/07/18 16:53:32 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/07/18 16:53:20 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/07/18 16:53:20 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/07/16 17:52:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/07/15 23:52:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/07/15 23:47:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/07/15 23:47:03 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/07/15 23:46:40 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/07/15 23:46:39 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/07/15 23:46:37 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/07/15 23:46:34 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/07/15 23:46:30 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/07/15 23:46:29 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/07/15 23:46:29 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/07/15 23:45:25 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/07/15 23:45:23 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/07/15 23:45:04 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/15 23:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/15 23:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boom Boom\Application Data\AVG9
[2010/07/13 23:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\PocoMan
[2010/07/13 21:51:23 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/07/13 21:06:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/07/13 21:06:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/13 20:50:00 | 115,508,392 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Boom Boom\My Documents\avg_iswt_stf_all_90_791a2750_avalanche.exe
[2010/07/09 00:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/09 00:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/08 20:43:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/08 20:43:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/07 10:50:35 | 000,000,000 | ---D | C] -- C:\games

========== Files - Modified Within 30 Days ==========

[2010/08/04 22:19:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/04 22:19:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/04 22:08:59 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Boom Boom\NTUSER.DAT
[2010/08/04 22:08:59 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Boom Boom\ntuser.ini
[2010/08/04 21:52:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/02 22:37:40 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
[2010/08/02 17:59:35 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/08/02 17:59:34 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/02 17:59:34 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/01 21:15:17 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/01 21:06:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boom Boom\Desktop\OTL.exe
[2010/07/23 23:38:27 | 008,514,516 | -H-- | M] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\IconCache.db
[2010/07/23 14:53:00 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/07/22 16:11:12 | 001,170,256 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Boom Boom\Desktop\TDSSKiller.exe
[2010/07/22 11:56:03 | 000,001,469 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\HijackThis.lnk
[2010/07/19 17:23:21 | 000,000,007 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\cmd1.bat
[2010/07/19 01:09:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/19 00:01:00 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/07/18 10:37:01 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
[2010/07/17 10:53:08 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/07/16 17:28:42 | 000,002,316 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\Google Chrome.lnk
[2010/07/16 17:28:42 | 000,002,294 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/15 23:46:42 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 23:46:30 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/15 23:46:20 | 000,001,558 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\PocoMan!.lnk
[2010/07/15 23:44:08 | 053,785,488 | ---- | M] () -- C:\Documents and Settings\Boom Boom\My Documents\setup_av_free.exe
[2010/07/14 00:27:08 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/13 23:11:56 | 001,003,520 | ---- | M] () -- C:\Documents and Settings\Boom Boom\My Documents\poco-w95.exe
[2010/07/13 20:50:00 | 115,508,392 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Boom Boom\My Documents\avg_iswt_stf_all_90_791a2750_avalanche.exe
[2010/07/09 00:11:27 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/09 00:11:27 | 000,442,024 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/09 00:11:27 | 000,071,810 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/08 09:22:04 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/07 10:50:36 | 000,000,587 | ---- | M] () -- C:\Documents and Settings\Boom Boom\Desktop\Happyland Adventures.lnk
[2010/07/06 15:43:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2010/08/01 21:15:17 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/23 14:34:50 | 000,148,713 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\FASTWiz.log
[2010/07/22 11:56:03 | 000,001,469 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\HijackThis.lnk
[2010/07/19 17:23:21 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\cmd1.bat
[2010/07/16 17:28:42 | 000,002,316 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\Google Chrome.lnk
[2010/07/16 17:28:42 | 000,002,294 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/16 17:27:33 | 000,000,994 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
[2010/07/16 17:27:32 | 000,000,942 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
[2010/07/15 23:46:42 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 23:44:08 | 053,785,488 | ---- | C] () -- C:\Documents and Settings\Boom Boom\My Documents\setup_av_free.exe
[2010/07/14 00:27:08 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/13 23:15:00 | 001,003,520 | ---- | C] () -- C:\Documents and Settings\Boom Boom\My Documents\poco-w95.exe
[2010/07/13 23:11:59 | 000,001,558 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\PocoMan!.lnk
[2010/07/07 10:50:36 | 000,000,587 | ---- | C] () -- C:\Documents and Settings\Boom Boom\Desktop\Happyland Adventures.lnk
[2009/07/11 09:38:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/07/11 07:57:07 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/07/11 07:54:03 | 001,752,704 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2009/07/11 07:54:03 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2009/07/11 06:27:26 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/11/15 08:12:56 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2008/09/02 21:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/07/31 09:31:52 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2005/02/18 02:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/18 02:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/15 03:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:D1B5B4F1
< End of report >



Thanks for your help and quick responses so far. The explorer.exe still hangs a bit after boot up but the system seems to be starting up a lot quicker since the startup music is heard around 10-15min.

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 04 August 2010 - 12:48 PM

Hi Taka,

That's looking better, I would like to take a look wth another tool though.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#11 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 04 August 2010 - 10:10 PM

Hey Syler

Here it is:


ComboFix 10-08-04.04 - Boom Boom 05/08/2010 13:01:13.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.700 [GMT 10:00]
Running from: c:\documents and settings\Boom Boom\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents
c:\windows\inf\vvt.pnf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 02:56 . 2010-08-05 02:56 -------- d-----w- c:\windows\LastGood
2010-08-04 12:15 . 2010-08-04 12:15 -------- d-----w- C:\_OTL
2010-08-04 11:52 . 2010-08-04 11:52 167936 ----a-w- c:\windows\system32\appmgmts.dll
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\Malwarebytes
2010-08-01 11:15 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-01 11:15 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-19 10:32 . 2010-07-19 10:32 -------- d-----w- c:\program files\Trend Micro
2010-07-18 06:53 . 2008-04-13 14:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-18 06:53 . 2008-04-13 14:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-18 06:53 . 2008-04-13 14:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-18 06:53 . 2008-04-13 14:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-18 06:53 . 2008-04-13 14:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-18 06:53 . 2008-04-13 14:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-15 13:52 . 2010-07-15 13:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-15 13:47 . 2010-07-15 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-15 13:47 . 2010-07-16 08:35 -------- d-----w- c:\program files\Google
2010-07-15 13:45 . 2010-08-05 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-15 13:45 . 2010-07-15 13:45 -------- d-----w- c:\program files\Alwil Software
2010-07-15 13:17 . 2010-07-15 13:17 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\AVG9
2010-07-13 13:11 . 2010-07-13 13:15 -------- d-----w- c:\program files\PocoMan
2010-07-13 12:39 . 2010-07-13 12:39 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-13 12:39 . 2010-07-13 12:39 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-07-13 12:39 . 2010-07-13 12:39 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-07-13 12:39 . 2010-07-13 12:39 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-07-13 12:39 . 2010-07-13 12:39 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-07-13 12:39 . 2010-07-13 12:39 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-07-13 12:39 . 2010-07-13 12:39 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-13 12:39 . 2010-07-13 12:39 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-07-13 12:37 . 2010-07-13 12:37 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-13 12:37 . 2010-07-13 12:37 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 12:37 . 2010-07-13 12:37 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-13 12:37 . 2010-07-13 12:37 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- C:\$AVG
2010-07-13 11:06 . 2010-07-13 11:06 -------- d-----w- c:\program files\AVG
2010-07-13 11:06 . 2010-07-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-08 14:53 . 2010-07-08 14:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-07 00:50 . 2010-07-07 00:50 -------- d-----w- C:\games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 02:43 . 2010-02-06 23:26 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\LimeWire
2010-08-02 12:58 . 2001-08-17 13:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-07-23 12:15 . 2010-07-19 09:33 60664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 15:39 . 2010-02-06 22:47 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\Skype
2010-07-18 15:09 . 2010-03-21 10:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-18 14:01 . 2010-02-06 22:51 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\skypePM
2010-07-17 14:57 . 2009-07-10 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-13 10:59 . 2010-02-08 00:21 -------- d-----w- c:\program files\NortonInstaller
2010-07-13 10:59 . 2010-02-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-13 10:59 . 2009-07-10 22:13 -------- d-----w- c:\program files\Norton Internet Security
2010-07-08 14:01 . 2009-07-10 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-07 23:21 . 2010-03-27 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-23 05:31 . 2010-06-23 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2010-06-22 05:00 . 2010-06-22 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-06-22 04:58 . 2010-06-22 04:57 -------- d-----w- c:\program files\World of Warcraft Installer
2010-06-17 23:41 . 2010-02-04 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-16 09:09 . 2010-06-16 09:09 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\PlayFirst
2010-06-16 09:05 . 2010-06-16 09:05 -------- d-----w- c:\program files\ReflexiveArcade
2010-06-09 23:40 . 2009-07-10 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-22 03:04 . 2010-05-22 03:04 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-22 03:04 . 2010-05-22 03:04 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-22 03:04 . 2010-05-22 03:04 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-22 03:01 . 2010-03-27 04:41 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-22 03:01 . 2010-03-27 04:41 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-16 06:03 . 2010-05-16 06:03 50354 ----a-w- c:\documents and settings\Boom Boom\Application Data\Facebook\uninstall.exe
2008-05-07 08:34 . 2009-07-10 22:05 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2010-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-11-06 15:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-11-06 15:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-02-17 2356088]
"Google Update"="c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-18 104936]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-01-05 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-06 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\Boom Boom\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\documents and settings\Boom Boom\My Documents\LimeWire\LimeWire.exe [2009-12-17 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-7-11 376832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer]
2008-12-17 23:59 622592 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 08:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 05:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Boom Boom\\My Documents\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [5/02/2010 8:39 AM 10368]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [5/02/2010 8:39 AM 154368]
.
Contents of the 'Scheduled Tasks' folder

2010-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
- c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 13:47]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
- c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 13:47]

2010-06-19 c:\windows\Tasks\Norton Security Scan for Boom Boom.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-27 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-avast5 - c:\progra~1\ALWILS~1\Avast5\avastUI.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 13:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-8032-b648c64ea2d]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1x6up6yakptny"=hex:63,33,31,64,66,65,35,62,2d,38,34,65,63,2d,34,31,66,31,2d,
61,64,66,31,2d,30,30,39,30,61,32,64,64,32,63,39,37
"18ji1vtbi6xqv"=hex:65,00,00,00,f8,00,00,00,f3,e8,75,71,53,75,65,4d,65,00,00,
00,00,00,00,00,00,00,00,00,5b,fe,1d,c3,ec,84,f1,41,ad,f1,00,90,a2,dd,2c,97,\
.
Completion time: 2010-08-05 13:08:01
ComboFix-quarantined-files.txt 2010-08-05 03:07

Pre-Run: 52,302,561,280 bytes free
Post-Run: 52,267,376,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0EFE7C58331A6014E251D6C1D20ACE67


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 05 August 2010 - 05:19 PM

Can you tell me how the computer is running and if you are having anymore problems?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RegLockDel
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-8032-b648c64ea2d]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Combofix.txt
  • ESET report

Thanks

unite.jpg


#13 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 06 August 2010 - 04:05 AM

Hey Syler,

Well when I booted the netbook up I waited until it would make the startup sound, and it took about 25min but it went to sleep as soon as it did. I ran the scans you told me to after.

ComboFix:

ComboFix 10-08-04.04 - Boom Boom 06/08/2010 12:43:29.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.696 [GMT 10:00]
Running from: c:\documents and settings\Boom Boom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boom Boom\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-04 12:15 . 2010-08-04 12:15 -------- d-----w- C:\_OTL
2010-08-04 11:52 . 2010-08-04 11:52 167936 ----a-w- c:\windows\system32\appmgmts.dll
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\Malwarebytes
2010-08-01 11:15 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 11:15 . 2010-08-01 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-01 11:15 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-19 10:32 . 2010-07-19 10:32 -------- d-----w- c:\program files\Trend Micro
2010-07-18 06:53 . 2008-04-13 14:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-07-18 06:53 . 2008-04-13 14:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-07-18 06:53 . 2008-04-13 14:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-07-18 06:53 . 2008-04-13 14:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-07-18 06:53 . 2008-04-13 14:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-07-18 06:53 . 2008-04-13 14:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-07-15 13:52 . 2010-07-15 13:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-15 13:47 . 2010-07-15 13:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-15 13:47 . 2010-07-16 08:35 -------- d-----w- c:\program files\Google
2010-07-15 13:45 . 2010-08-05 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-15 13:45 . 2010-07-15 13:45 -------- d-----w- c:\program files\Alwil Software
2010-07-15 13:17 . 2010-07-15 13:17 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\AVG9
2010-07-13 13:11 . 2010-07-13 13:15 -------- d-----w- c:\program files\PocoMan
2010-07-13 12:39 . 2010-07-13 12:39 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-13 12:39 . 2010-07-13 12:39 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-07-13 12:39 . 2010-07-13 12:39 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-07-13 12:39 . 2010-07-13 12:39 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-07-13 12:39 . 2010-07-13 12:39 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-07-13 12:39 . 2010-07-13 12:39 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-07-13 12:39 . 2010-07-13 12:39 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-13 12:39 . 2010-07-13 12:39 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-07-13 12:37 . 2010-07-13 12:37 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-13 12:37 . 2010-07-13 12:37 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 12:37 . 2010-07-13 12:37 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-13 12:37 . 2010-07-13 12:37 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-13 11:51 . 2010-07-13 11:51 -------- d-----w- C:\$AVG
2010-07-13 11:06 . 2010-07-13 11:06 -------- d-----w- c:\program files\AVG
2010-07-13 11:06 . 2010-07-15 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-08 14:53 . 2010-07-08 14:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 02:14 . 2010-02-06 23:26 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\LimeWire
2010-08-02 12:58 . 2001-08-17 13:51 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-07-23 12:15 . 2010-07-19 09:33 60664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 15:39 . 2010-02-06 22:47 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\Skype
2010-07-18 15:09 . 2010-03-21 10:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-18 14:01 . 2010-02-06 22:51 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\skypePM
2010-07-17 14:57 . 2009-07-10 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-07-13 10:59 . 2010-02-08 00:21 -------- d-----w- c:\program files\NortonInstaller
2010-07-13 10:59 . 2010-02-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-13 10:59 . 2009-07-10 22:13 -------- d-----w- c:\program files\Norton Internet Security
2010-07-08 14:01 . 2009-07-10 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-07 23:21 . 2010-03-27 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-23 05:31 . 2010-06-23 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SpinTop Games
2010-06-22 05:00 . 2010-06-22 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-06-22 04:58 . 2010-06-22 04:57 -------- d-----w- c:\program files\World of Warcraft Installer
2010-06-17 23:41 . 2010-02-04 22:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-16 09:09 . 2010-06-16 09:09 -------- d-----w- c:\documents and settings\Boom Boom\Application Data\PlayFirst
2010-06-16 09:05 . 2010-06-16 09:05 -------- d-----w- c:\program files\ReflexiveArcade
2010-06-09 23:40 . 2009-07-10 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-22 03:04 . 2010-05-22 03:04 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-22 03:04 . 2010-05-22 03:04 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-22 03:04 . 2010-05-22 03:04 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-22 03:03 . 2010-05-22 03:03 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-22 03:01 . 2010-03-27 04:41 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-22 03:01 . 2010-03-27 04:41 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-16 06:03 . 2010-05-16 06:03 50354 ----a-w- c:\documents and settings\Boom Boom\Application Data\Facebook\uninstall.exe
2008-05-07 08:34 . 2009-07-10 22:05 15523560 ----a-w- c:\program files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2010-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-05_03.05.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-06 02:13 . 2010-08-06 02:13 16384 c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-11-06 15:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-11-06 15:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2010-02-17 2356088]
"Google Update"="c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-18 104936]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-01-05 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-06 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

c:\documents and settings\Boom Boom\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\documents and settings\Boom Boom\My Documents\LimeWire\LimeWire.exe [2009-12-17 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-7-11 376832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer]
2008-12-17 23:59 622592 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 08:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 05:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Boom Boom\\My Documents\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [5/02/2010 8:39 AM 10368]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [5/02/2010 8:39 AM 154368]
.
Contents of the 'Scheduled Tasks' folder

2010-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
- c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 13:47]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
- c:\documents and settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 13:47]

2010-06-19 c:\windows\Tasks\Norton Security Scan for Boom Boom.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-27 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-8032-b648c64ea2d]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1x6up6yakptny"=hex:63,33,31,64,66,65,35,62,2d,38,34,65,63,2d,34,31,66,31,2d,
61,64,66,31,2d,30,30,39,30,61,32,64,64,32,63,39,37
"18ji1vtbi6xqv"=hex:65,00,00,00,f8,00,00,00,f3,e8,75,71,53,75,65,4d,65,00,00,
00,00,00,00,00,00,00,00,00,5b,fe,1d,c3,ec,84,f1,41,ad,f1,00,90,a2,dd,2c,97,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-08-06 12:50:58
ComboFix-quarantined-files.txt 2010-08-06 02:50
ComboFix2.txt 2010-08-05 03:08

Pre-Run: 52,280,033,280 bytes free
Post-Run: 52,266,364,928 bytes free

- - End Of File - - 22C5EFFCC9595504186734F0EA4D0AB4







ESET:


C:\System Volume Information\_restore{DA60E581-C239-48E2-9083-6BB39CA51B34}\RP82\A0038681.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\WINDOWS\alobazuko.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\WINDOWS\msextws.dll a variant of Win32/Cimag.CW trojan cleaned by deleting - quarantined
C:\_OTL\MovedFiles\08042010_221552\C_Documents and Settings\Boom Boom\Local Settings\Application Data\{7120845E-DEEB-4613-B9E5-1E609ACE815E}\chrome\content\overlay.xul probably a variant of Win32/Agent trojan cleaned by deleting - quarantined








Update
Hey Syler, I restarted the computer twice after that to test how long it takes to boot and what the start up condition ios. Explorer still hangs, the first restart took about 8min and the second 17. Its a lot better than it was previously so thank you for that! I'm just not sure what this hang is caused by, but whatever it is it's still here.

Edited by Takapon, 06 August 2010 - 05:28 AM.


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:21 AM

Posted 06 August 2010 - 11:59 AM

Hello again,

Do you have an active AntiVirus running at the moment, I see traces of AVG, Avast and Norton on you machine.

If all these have been uninstalled, please run there removal tool to cleanup whats left, then reinstall an Antivirus
on your machine.


You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.
To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.



You can find the Avast cleanup tool here and AVG tool here



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-8032-b648c64ea2d]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#15 Takapon

Takapon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 August 2010 - 11:30 PM

Hey Syler,

Sorry about the late reply. Those links were great, ran them all.

Here's the log:



ComboFix 10-08-08.01 - Boom Boom 09/08/2010 14:14:55.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.546 [GMT 10:00]
Running from: C:\Documents and Settings\Boom Boom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Boom Boom\Desktop\CFScript.txt.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-06 09:53:43 . 2010-08-06 09:53:43 4212 ---ha-w- C:\WINDOWS\system32\zllictbl.dat
2010-08-06 09:53:39 . 2010-06-23 03:51:20 69120 ----a-w- C:\WINDOWS\system32\zlcomm.dll
2010-08-06 09:53:39 . 2010-06-23 03:51:20 103936 ----a-w- C:\WINDOWS\system32\zlcommdb.dll
2010-08-06 09:53:30 . 2010-08-06 09:53:44 -------- d-----w- C:\WINDOWS\system32\ZoneLabs
2010-08-06 09:53:30 . 2010-06-23 03:51:22 1238528 ----a-w- C:\WINDOWS\system32\zpeng25.dll
2010-08-06 09:53:26 . 2010-08-06 09:53:26 -------- d-----w- C:\Program Files\Zone Labs
2010-08-06 09:51:34 . 2010-08-09 04:19:14 -------- d-----w- C:\WINDOWS\Internet Logs
2010-08-06 09:26:09 . 2010-02-04 23:17:56 233136 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys
2010-08-06 09:26:05 . 2010-03-29 00:06:14 218592 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2010-08-06 09:26:05 . 2009-11-23 03:54:20 88040 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2010-08-06 09:26:01 . 2010-04-08 04:29:32 63360 ----a-w- C:\WINDOWS\system32\drivers\pctplsg.sys
2010-08-06 09:25:27 . 2010-08-09 03:34:19 -------- d-----w- C:\Program Files\Spyware Doctor
2010-08-06 09:25:27 . 2010-08-06 09:26:25 -------- d-----w- C:\Program Files\Common Files\PC Tools
2010-08-06 09:25:27 . 2010-08-06 09:25:27 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\PC Tools
2010-08-06 09:25:27 . 2010-08-06 09:25:27 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2010-08-06 09:16:43 . 2010-08-06 09:17:01 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Google Updater
2010-08-06 09:13:06 . 2010-08-06 09:13:10 57344 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-08-06 09:12:56 . 2010-08-06 09:12:56 56765 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-08-06 09:12:53 . 2010-08-06 09:12:53 56997 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-08-06 09:12:45 . 2010-08-06 09:12:45 53600 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-08-06 09:12:44 . 2010-08-06 09:12:44 57715 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-08-06 09:11:59 . 2010-08-06 09:11:59 54153 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-08-06 09:11:58 . 2010-08-06 09:11:58 54128 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-08-06 09:11:55 . 2010-08-06 09:11:55 54644 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-08-06 09:11:47 . 2010-08-06 09:11:47 54101 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-08-06 07:22:48 . 2010-08-06 07:22:48 -------- d-----w- C:\Program Files\ESET
2010-08-04 12:15:52 . 2010-08-04 12:15:52 -------- d-----w- C:\_OTL
2010-08-04 11:52:07 . 2010-08-04 11:52:14 167936 ----a-w- C:\WINDOWS\system32\appmgmts.dll
2010-08-01 11:15:30 . 2010-08-01 11:15:30 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\Malwarebytes
2010-08-01 11:15:14 . 2010-04-29 05:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-08-01 11:15:12 . 2010-08-01 11:15:20 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-08-01 11:15:12 . 2010-08-01 11:15:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-08-01 11:15:12 . 2010-04-29 05:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-07-19 10:32:22 . 2010-07-19 10:32:22 -------- d-----w- C:\Program Files\Trend Micro
2010-07-18 06:53:36 . 2008-04-13 14:10:28 34688 -c--a-w- C:\WINDOWS\system32\dllcache\lbrtfdc.sys
2010-07-18 06:53:36 . 2008-04-13 14:10:28 34688 ----a-w- C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010-07-18 06:53:32 . 2008-04-13 14:11:24 8576 -c--a-w- C:\WINDOWS\system32\dllcache\i2omgmt.sys
2010-07-18 06:53:32 . 2008-04-13 14:11:24 8576 ----a-w- C:\WINDOWS\system32\drivers\i2omgmt.sys
2010-07-18 06:53:20 . 2008-04-13 14:11:00 8192 -c--a-w- C:\WINDOWS\system32\dllcache\changer.sys
2010-07-18 06:53:20 . 2008-04-13 14:11:00 8192 ----a-w- C:\WINDOWS\system32\drivers\changer.sys
2010-07-15 13:52:01 . 2010-07-15 13:52:01 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
2010-07-15 13:47:43 . 2010-07-15 13:47:43 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
2010-07-15 13:47:03 . 2010-08-06 09:16:44 -------- d-----w- C:\Program Files\Google
2010-07-15 13:45:04 . 2010-08-05 02:41:55 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Alwil Software
2010-07-15 13:17:27 . 2010-07-15 13:17:27 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\AVG9
2010-07-13 13:11:59 . 2010-07-13 13:15:26 -------- d-----w- C:\Program Files\PocoMan
2010-07-13 12:39:17 . 2010-07-13 12:39:17 242696 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-13 12:39:16 . 2010-07-13 12:39:16 74760 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-07-13 12:39:16 . 2010-07-13 12:39:16 29512 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-07-13 12:39:16 . 2010-07-13 12:39:16 26120 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-07-13 12:39:16 . 2010-07-13 12:39:16 25096 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-07-13 12:39:15 . 2010-07-13 12:39:15 30216 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-07-13 12:39:15 . 2010-07-13 12:39:15 216200 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-13 12:39:15 . 2010-07-13 12:39:15 122376 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-07-13 12:37:12 . 2010-07-13 12:37:12 1035032 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-13 12:37:11 . 2010-07-13 12:37:11 1685784 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-13 12:37:10 . 2010-07-13 12:37:10 813336 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-13 12:37:10 . 2010-07-13 12:37:10 624920 ----a-w- C:\Documents and Settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-13 11:51:23 . 2010-07-13 11:51:23 -------- d-----w- C:\$AVG
2010-07-13 11:06:19 . 2010-07-13 11:06:19 -------- d-----w- C:\Program Files\AVG
2010-07-13 11:06:16 . 2010-07-15 23:22:22 -------- d-----w- C:\Documents and Settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 04:06:56 . 2010-02-06 23:26:38 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\LimeWire
2010-08-09 03:42:46 . 2010-02-09 10:33:03 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Symantec
2010-08-09 03:34:25 . 2010-02-04 22:35:14 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\Temp
2010-08-06 10:04:28 . 2010-02-06 22:47:50 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\Skype
2010-08-06 09:22:59 . 2009-07-10 22:03:46 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-08-06 09:21:39 . 2010-02-08 00:21:00 -------- d-----w- C:\Program Files\NortonInstaller
2010-08-06 09:13:10 . 2010-03-27 04:38:58 -------- d-----w- C:\Documents and Settings\All Users\Application Data\DivX
2010-08-06 09:12:56 . 2010-03-27 04:39:53 -------- d-----w- C:\Program Files\DivX
2010-08-06 09:09:39 . 2010-03-27 04:41:08 1062184 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-08-06 09:09:37 . 2010-03-27 04:41:08 895256 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-08-02 12:58:32 . 2001-08-17 13:51:52 3328 ----a-w- C:\WINDOWS\system32\drivers\pciide.sys
2010-07-23 12:15:12 . 2010-07-19 09:33:31 60664 ----a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-18 15:09:10 . 2010-03-21 10:17:58 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-07-18 14:01:42 . 2010-02-06 22:51:29 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\skypePM
2010-07-17 14:57:54 . 2009-07-10 22:13:06 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Skype
2010-07-13 10:59:31 . 2010-02-08 00:21:30 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2010-07-08 14:01:06 . 2009-07-10 23:34:25 -------- d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-06-23 05:31:12 . 2010-06-23 05:31:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SpinTop Games
2010-06-22 05:00:18 . 2010-06-22 05:00:18 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Blizzard
2010-06-22 04:58:40 . 2010-06-22 04:57:35 -------- d-----w- C:\Program Files\World of Warcraft Installer
2010-06-16 09:09:25 . 2010-06-16 09:09:25 -------- d-----w- C:\Documents and Settings\Boom Boom\Application Data\PlayFirst
2010-06-16 09:05:26 . 2010-06-16 09:05:26 -------- d-----w- C:\Program Files\ReflexiveArcade
2010-06-14 14:31:20 . 2009-07-10 20:38:36 744448 ----a-w- C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2010-05-22 03:03:49 . 2010-05-22 03:03:49 84040 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-22 03:03:43 . 2010-05-22 03:03:43 57054 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-22 03:03:43 . 2010-05-22 03:03:43 54166 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-22 03:03:42 . 2010-05-22 03:03:42 57532 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-22 03:03:40 . 2010-05-22 03:03:40 56458 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-22 03:03:40 . 2010-05-22 03:03:40 54174 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-22 03:03:25 . 2010-05-22 03:03:25 57409 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-22 03:03:22 . 2010-05-22 03:03:22 56969 ----a-w- C:\Documents and Settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-16 06:03:57 . 2010-05-16 06:03:57 50354 ----a-w- C:\Documents and Settings\Boom Boom\Application Data\Facebook\uninstall.exe
2008-05-07 08:34:00 . 2009-07-10 22:05:13 15523560 ----a-w- C:\Program Files\U1 Setup.exe
.

------- Sigcheck -------

[-] 2010-08-04 11:52:14 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS\system32\appmgmts.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-08-05_03.05.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-06 16:19:20 . 2007-11-06 16:19:20 54272 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 62976 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 46080 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 46592 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 64512 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-28 22:05:06 . 2008-07-28 22:05:06 66048 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 65024 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-28 22:05:06 . 2008-07-28 22:05:06 65024 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 56832 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 66560 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-28 22:05:06 . 2008-07-28 22:05:06 39936 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-28 22:05:06 . 2008-07-28 22:05:06 38912 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-28 20:07:42 . 2008-07-28 20:07:42 59904 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-28 20:07:42 . 2008-07-28 20:07:42 59904 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2006-12-01 14:46:44 . 2006-12-01 14:46:44 65536 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2010-08-09 04:06:18 . 2010-08-09 04:06:18 16384 C:\WINDOWS\Temp\Perflib_Perfdata_57c.dat
+ 2010-08-06 09:53:42 . 2010-06-23 03:51:20 99328 C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2010-08-06 09:53:39 . 2010-06-23 03:51:30 70656 C:\WINDOWS\system32\ZoneLabs\zatray.exe
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 21504 C:\WINDOWS\system32\ZoneLabs\lib\zsys.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 14336 C:\WINDOWS\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 46592 C:\WINDOWS\system32\ZoneLabs\lib\zfde.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 85504 C:\WINDOWS\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 37376 C:\WINDOWS\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:38 12800 C:\WINDOWS\system32\ZoneLabs\lib\oem_1488.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 12800 C:\WINDOWS\system32\ZoneLabs\lib\oem_1487.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 12800 C:\WINDOWS\system32\ZoneLabs\lib\oem_1486.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 20992 C:\WINDOWS\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 12800 C:\WINDOWS\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 10240 C:\WINDOWS\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 11264 C:\WINDOWS\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 14336 C:\WINDOWS\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 12288 C:\WINDOWS\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 11264 C:\WINDOWS\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:38 29184 C:\WINDOWS\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:36 13312 C:\WINDOWS\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:36 35840 C:\WINDOWS\system32\ZoneLabs\lib\Alert.zip.dll
+ 2010-08-06 09:53:40 . 2010-06-23 03:51:16 38912 C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2010-08-06 09:53:42 . 2010-06-23 03:51:14 75776 C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:20 43008 C:\WINDOWS\system32\vswmi.dll
+ 2010-08-06 09:53:41 . 2010-06-23 03:51:18 58368 C:\WINDOWS\system32\vsregexp.dll
+ 2010-03-10 19:29:32 . 2010-03-10 19:29:32 94208 C:\WINDOWS\system32\dpl100.dll
- 2010-03-08 17:59:18 . 2010-03-08 17:59:18 94208 C:\WINDOWS\system32\dpl100.dll
+ 2009-12-21 10:09:26 . 2009-12-21 10:09:26 16832 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-21 15:57:28 . 2009-12-21 15:57:28 35760 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 10:02:28 . 2009-12-21 10:02:28 79280 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 13:21:18 . 2009-12-21 13:21:18 99776 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 05:57:56 . 2009-12-11 05:57:56 70584 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 13:37:10 . 2009-12-21 13:37:10 27048 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 08:39:12 . 2009-12-21 08:39:12 15288 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 08:27:44 . 2009-12-21 08:27:44 75200 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 08:27:50 . 2009-12-21 08:27:50 61888 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 655872 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 572928 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-28 17:54:08 . 2008-07-28 17:54:08 225280 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-28 22:05:06 . 2008-07-28 22:05:06 161784 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-08-06 09:53:40 . 2010-06-23 03:51:20 141824 C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2010-08-06 09:53:41 . 2010-06-23 03:51:20 173056 C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2010-08-06 09:51:33 . 2010-06-23 03:51:18 211456 C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2010-08-06 09:53:40 . 2007-10-11 06:51:34 832984 C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2010-08-06 09:53:32 . 2010-06-23 03:51:16 434688 C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2010-08-06 09:53:40 . 2010-06-23 03:51:16 135680 C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2010-08-06 09:53:42 . 2009-07-13 13:58:50 722392 C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:42 126976 C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:38 279040 C:\WINDOWS\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:38 225792 C:\WINDOWS\system32\ZoneLabs\lib\Overview.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:36 368640 C:\WINDOWS\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:36 184832 C:\WINDOWS\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:36 375296 C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2010-08-06 09:51:33 . 2010-02-07 22:41:24 595432 C:\WINDOWS\system32\ZoneLabs\icslta.dll
+ 2010-08-06 09:53:44 . 2010-05-04 04:04:30 284136 C:\WINDOWS\system32\ZoneLabs\ffapi.dll
+ 2010-08-06 09:53:40 . 2010-06-23 03:51:16 169984 C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2010-08-06 09:53:42 . 2008-03-17 06:52:02 813568 C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:51:20 110080 C:\WINDOWS\system32\vsxml.dll
+ 2010-08-06 09:51:33 . 2010-06-23 03:51:18 713728 C:\WINDOWS\system32\vsutil.dll
+ 2010-08-06 09:53:29 . 2010-06-23 03:51:18 302592 C:\WINDOWS\system32\vspubapi.dll
+ 2010-08-06 09:53:29 . 2010-06-23 03:51:18 108032 C:\WINDOWS\system32\vsmonapi.dll
+ 2010-08-06 09:51:33 . 2010-06-23 03:51:18 228864 C:\WINDOWS\system32\vsinit.dll
+ 2010-08-06 09:53:27 . 2010-05-13 00:02:32 532224 C:\WINDOWS\system32\vsdatant.sys
+ 2010-08-06 09:51:33 . 2010-06-23 03:51:18 112128 C:\WINDOWS\system32\vsdata.dll
+ 2009-07-10 20:38:36 . 2010-06-14 14:31:20 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe
- 2009-07-10 20:38:36 . 2008-04-14 12:00:00 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe
+ 2010-08-06 09:25:37 . 2010-08-06 09:25:37 228352 C:\WINDOWS\Installer\91401.msi
+ 2010-08-06 09:21:21 . 2010-08-06 09:21:22 331264 C:\WINDOWS\Installer\91310.msi
+ 2009-12-11 05:57:56 . 2009-12-11 05:57:56 326056 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 08:35:52 . 2009-12-21 08:35:52 378264 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 10:05:50 . 2009-12-21 10:05:50 116168 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 08:34:06 . 2009-12-21 08:34:06 103864 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 09:18:50 . 2009-11-09 09:18:50 684032 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 10:02:42 . 2009-12-21 10:02:42 542168 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 05:57:56 . 2009-12-11 05:57:56 948672 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 08:43:30 . 2009-12-21 08:43:30 120240 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-21 15:57:30 . 2009-12-21 15:57:30 349616 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 08:15:14 . 2009-12-21 08:15:14 660912 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 09:32:54 . 2009-12-21 09:32:54 280024 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 05:57:56 . 2009-12-11 05:57:56 326056 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 09:15:02 . 2009-12-21 09:15:02 251296 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2008-07-28 22:05:10 . 2008-07-28 22:05:10 3783672 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-28 22:05:08 . 2008-07-28 22:05:08 3768312 C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2010-08-06 09:53:32 . 2010-06-23 03:51:18 1790464 C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2010-08-06 09:53:30 . 2010-06-23 03:52:56 2435592 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2010-08-06 09:53:31 . 2010-06-23 03:51:40 1536512 C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2009-07-10 20:27:15 . 2010-07-27 06:30:35 8462336 C:\WINDOWS\system32\shell32.dll
+ 2009-07-10 20:27:15 . 2010-07-27 06:30:35 8462336 C:\WINDOWS\system32\dllcache\shell32.dll
+ 2010-06-20 08:01:50 . 2010-06-20 08:01:50 8040960 C:\WINDOWS\Installer\913fa.msp
+ 2010-08-06 09:23:40 . 2010-08-06 09:23:40 3940352 C:\WINDOWS\Installer\913f9.msi
+ 2009-12-21 08:29:10 . 2009-12-21 08:29:10 2409880 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 09:00:00 . 2009-12-21 09:00:00 1298996 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-12-21 13:31:22 . 2009-12-21 13:31:22 5713920 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-02-12 00:50:33 . 2010-07-02 19:39:05 34045896 C:\WINDOWS\system32\MRT.exe
+ 2010-04-04 06:54:17 . 2010-04-04 06:54:17 11850240 C:\WINDOWS\Installer\913fb.msp
+ 2009-12-21 13:21:12 . 2009-12-21 13:21:12 20436408 C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-11-06 15:07:04 297808 ----a-w- C:\WINDOWS\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-11-06 15:07:04 297808 ----a-w- C:\WINDOWS\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-15 13:47:01 136176]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-06 09:16:45 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 08:59:24 17508864]
"AsusTray"="C:\Program Files\EeePC\ACPI\AsTray.exe" [2008-12-04 17:38:06 114688]
"AsusEPCMonitor"="C:\Program Files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 05:56:24 94208]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-19 03:08:00 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-19 03:08:00 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-19 03:07:00 131072]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 12:00:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 12:00:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 12:00:00 455168]
"ETDWare"="C:\Program Files\Elantech\ETDCtrl.exe" [2009-01-23 07:49:53 416768]
"CLMLServer"="C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-18 08:52:16 104936]
"UpdateP2GoShortCut"="C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 11:15:16 218408]
"UpdatePSTShortCut"="C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-01-05 08:27:48 210216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2010-02-06 23:25:51 149280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-11-10 12:08:18 417792]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 00:50:58 1144104]
"Google Updater"="C:\Program Files\Google\Google Updater\GoogleUpdater.exe" [2010-08-06 09:16:37 161336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 02:04:47 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 08:06:38 976832]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 03:51:30 1043968]

C:\Documents and Settings\Boom Boom\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Documents and Settings\Boom Boom\My Documents\LimeWire\LimeWire.exe [2009-12-17 503808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-7-11 376832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer]
2008-12-17 23:59:50 622592 ----a-w- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 08:16:42 141608 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 05:44:34 3883856 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\Boom Boom\\My Documents\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;C:\WINDOWS\system32\drivers\CLBStor.sys [5/02/2010 8:39:24 AM 10368]
R0 PCTCore;PCTools KDS;C:\WINDOWS\system32\drivers\PCTCore.sys [6/08/2010 7:26:05 PM 218592]
R2 CLBUDFR;CyberLink UDF Filesystem;C:\WINDOWS\system32\drivers\CLBUDFR.sys [5/02/2010 8:39:24 AM 154368]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [6/08/2010 7:25:31 PM 366840]
.
Contents of the 'Scheduled Tasks' folder

2010-07-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34:12 . 2008-07-30 01:34:12]

2010-08-09 C:\WINDOWS\Tasks\Google Software Updater.job
- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-08-06 09:16:39 . 2010-08-06 09:16:39]

2010-07-18 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006Core.job
- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 07:27:28 . 2010-07-15 13:47:01]

2010-08-09 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2946036855-2774403157-1909545103-1006UA.job
- C:\Documents and Settings\Boom Boom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-16 07:27:28 . 2010-07-15 13:47:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeUpdater - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users