Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus that affects svchost


  • Please log in to reply
15 replies to this topic

#1 Cabinetguy

Cabinetguy

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 23 July 2010 - 09:19 PM

I'm getting random redirects, can't connect to any windows update pages, browser sometimes doesn't open, couldn't uninstall AVG, when trying to edit registry, I couldn't add permissions.

I've scanned with AVG, MBAM, HitmanPro, Adaware, used HijackThis, and microsoft malicious software removal. I've tried to replace the svchost with a known good one through dos prompt.

This one is stubborn for me, so any help would be greatly appreciated.

UPDATE 7/24 @ 0746am.
- I am surprised that the log and everything posted. Last night when I was trying to post it, I kept getting a "connection reset" error. I tried posting a dozen times or so and was just going to post from my work computer this morning. It appears that the virus has a portion of this site blocked, the same as the windows update pages and some AV pages.







DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:39:20.45 on Fri 07/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1007 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\20-20 Technologies\2020Design\mswin\60\scbar.exe
C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System3

Attached Files


Edited by Cabinetguy, 24 July 2010 - 06:50 AM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 31 July 2010 - 10:15 AM

Hello Cabinetguy

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 01 August 2010 - 02:49 PM

OTL Extras logfile created on: 8/1/2010 11:47:09 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): D:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.55 Gb Total Space | 62.12 Gb Free Space | 83.33% Space Free | Partition Type: NTFS
Drive D: | 74.50 Gb Total Space | 45.78 Gb Free Space | 61.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{109945A8-D8D5-48B8-B4A5-195D3F99B56D}" = Logitech GamePanel Software 3.04.143
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{197C57A5-F356-4829-AA21-4EB9A00F2ADC}" = 20-20 Version 8.1
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{5A180ED5-0AC1-410A-B790-5E0319CD0A93}" = Sentinel Protection Installer 7.4.0
"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F4C89E3-B962-46DB-8452-C00B4A02DB3F}" = 20-20 Version 8.1
"{68349DE6-7161-44DA-8F3B-3B33FC564C39}" = 20-20 Version 8.1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72E67064-A144-42A6-BC85-12276B2D5D42}" = 2400_2500Help
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ABA3505-9FE1-4F46-8D20-EDA8E9291DBB}" = 20-20 Version 8.1
"{8B957F8D-FBDE-4DB4-99E7-192487575050}" = 23_24_2500Tour
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9AD84892-7664-479C-8F95-7A25B964B04D}" = 2400_2500trb
"{9B5D289A-0E38-4979-AF70-B92FC2D96005}" = 20-20 Version 8.1
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A620E308-2124-4A35-BA95-F1CAEF538CB9}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B49673F8-7AB6-4A14-8213-C8A7BE370010}" = UltraMon
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B9EDB852-D99C-4EAC-A7B7-C770B3B7CDCB}" = 20-20 Version 8.1
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0DA2845-E638-4E4A-B014-25C8A0E5270E}" = 20-20 Version 8.1
"{CC6FB697-65CC-4B9E-96E8-E5270138FA2D}" = 20-20 Version 8.1
"{CD3E2F00-24CE-4C25-B358-FBD0E2E0430D}" = 20-20 Version 8.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 Service Pack 1
"{CEB6968F-3F23-44E3-9E61-BF38155F4C5F}" = 20-20 Version 8.1
"{E43FB20D-0847-4794-B7FC-D5559E04DE5B}" = MRCG Order Form
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{EE3A1D30-B97D-4EC0-BA65-EEE4131ECA9A}" = AirPlus XtremeG DWL-G520
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3CE9D82-E786-4BDF-A47B-B0CE51772A01}" = 20-20 Version 8.1
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{FA69D133-6732-4AB1-91A8-11B752F12AF4}" = KraftMaid Cabinetry 20-20 Catalogs
"{FBCFA617-1856-4BE2-BA3C-BADD374757E7}" = 2500
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver (Omega 3.8.442)
"AVG9Uninstall" = AVG 9.0
"Building & Co" = Building & Co
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DivX Setup.divx.com" = DivX Setup
"Foxit Reader" = Foxit Reader
"GrabIt_is1" = GrabIt 1.7.2 Beta 4 (build 997)
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"InstallShield_{A620E308-2124-4A35-BA95-F1CAEF538CB9}" = SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.2.0
"LimeWire" = LimeWire 5.5.6
"Microsoft Silverlight" = Microsoft Silverlight
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (3.1)" = Mozilla Thunderbird (3.1)
"MultiRes (remove only)" = MultiRes (remove only)
"Pen Tablet Driver" = Pen Tablet
"QuickPar" = QuickPar 0.9
"QuicktimeAlt_is1" = QuickTime Alternative 3.0.0
"Rainbow Client Activator 2.0 English" = Client Activator 2.0 - English (2)
"Rainbow Client Activator 2.0 English All" = Client Activator 2.0 - English (All)
"RivaTuner" = RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"Unlocker" = Unlocker 1.8.7
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinGimp-2.0_is1" = GIMP 2.6.8

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/27/2010 6:12:39 PM | Computer Name = ANONYMOUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/27/2010 7:18:07 PM | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5689, faulting
module urlmon.dll, version 8.0.6001.22995, fault address 0x0002dfce.

Error - 7/28/2010 7:59:42 AM | Computer Name = ANONYMOUS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Professional with FrontPage -- Error
1706. Setup cannot find the required files. Check your connection to the network,
or CD-ROM drive. For other potential solutions to this problem, see C:\Program
Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 7/28/2010 7:59:47 AM | Computer Name = ANONYMOUS | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft Office XP Professional with FrontPage - Update
'{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}' could not be installed. Error code 1603.
Additional information is available in the log file C:\DOCUME~1\Owner\LOCALS~1\Temp\MSIe71d0.LOG.

Error - 7/28/2010 8:04:22 AM | Computer Name = ANONYMOUS | Source = NativeWrapper | ID = 5000
Description =

Error - 7/28/2010 8:41:20 AM | Computer Name = ANONYMOUS | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Professional with FrontPage -- Error
1706. Setup cannot find the required files. Check your connection to the network,
or CD-ROM drive. For other potential solutions to this problem, see C:\Program
Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 7/28/2010 8:41:24 AM | Computer Name = ANONYMOUS | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft Office XP Professional with FrontPage - Update
'{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}' could not be installed. Error code 1603.
Additional information is available in the log file C:\DOCUME~1\Owner\LOCALS~1\Temp\MSI58043.LOG.

Error - 7/28/2010 8:42:23 AM | Computer Name = ANONYMOUS | Source = NativeWrapper | ID = 5000
Description =

Error - 7/28/2010 8:52:32 AM | Computer Name = ANONYMOUS | Source = NativeWrapper | ID = 5000
Description =

Error - 7/28/2010 5:57:11 PM | Computer Name = ANONYMOUS | Source = NativeWrapper | ID = 5000
Description =

[ System Events ]
Error - 7/31/2010 7:13:18 PM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 7/31/2010 7:13:18 PM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/1/2010 6:00:38 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/1/2010 6:00:38 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
Description = The wscsvc service failed to start due to the following error: %%1083

Error - 8/1/2010 6:00:38 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 8/1/2010 6:02:30 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/1/2010 11:21:13 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/1/2010 11:21:13 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
Description = The wscsvc service failed to start due to the following error: %%1083

Error - 8/1/2010 11:21:13 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 8/1/2010 11:34:23 AM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

********************************************************************************************************

OTL logfile created on: 8/1/2010 11:47:09 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): D:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.55 Gb Total Space | 62.12 Gb Free Space | 83.33% Space Free | Partition Type: NTFS
Drive D: | 74.50 Gb Total Space | 45.78 Gb Free Space | 61.45% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgam.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software)
PRC - C:\Program Files\20-20 Technologies\2020Design\Mswin\60\SCBar.Exe (MKS Informatique)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.exe (Ray Adams)
PRC - C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)
PRC - C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe (Hewlett-Packard Company)


========== Modules (SafeList) ==========

MOD - C:\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\raphook.dll ()


========== Win32 Services (SafeList) ==========

SRV - (wscsvc) -- C:\WINDOWS\System32\wscsvc.dll File not found
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (StarWindServiceAE) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (StarWind Software)
SRV - (TabletServicePen) -- C:\WINDOWS\system32\Pen_Tablet.exe (Wacom Technology, Corp.)
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (SASKUTIL) -- C:\DOCUME~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found
DRV - (SASDIFSV) -- C:\DOCUME~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgRkx86) -- C:\WINDOWS\System32\Drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (LGVirHid) -- C:\WINDOWS\system32\drivers\LGVirHid.sys (Logitech Inc.)
DRV - (LGBusEnum) -- C:\WINDOWS\system32\drivers\LGBusEnum.sys (Logitech Inc.)
DRV - (DumpDrv) -- C:\WINDOWS\System32\drivers\dumpdrv.sys (Microsoft Corporation)
DRV - (RivaTuner32) -- C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys ()
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (UltraMonUtility) -- C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys (Realtime Soft Ltd)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (wacmoumonitor) -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys (Wacom Technology)
DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atitray) -- C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys ()
DRV - (sentemu) -- C:\WINDOWS\system32\drivers\Sentemu.sys (SafeKey International, Inc.)
DRV - (sscdserd) SAMSUNG Mobile Modem Diagnostic Serial Port (WDM) -- C:\WINDOWS\system32\drivers\sscdserd.sys (MCCI Corporation)
DRV - (sscdmdm) -- C:\WINDOWS\system32\drivers\sscdmdm.sys (MCCI Corporation)
DRV - (sscdmdfl) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys (MCCI Corporation)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\sscdbus.sys (MCCI Corporation)
DRV - (A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) -- C:\WINDOWS\system32\drivers\A3AB.sys (D-Link Corporation)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (SafeNet, Inc.)
DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology)
DRV - (WacomVKHid) -- C:\WINDOWS\system32\drivers\WacomVKHid.sys (Wacom Technology)
DRV - (SISNICXP) -- C:\WINDOWS\system32\drivers\sisnicxp.sys (SiS Corporation)
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (siside) -- C:\WINDOWS\system32\DRIVERS\siside.sys (Silicon Integrated Systems Corp.)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctljystk) -- C:\WINDOWS\system32\drivers\ctljystk.sys (Creative Technology Ltd.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.2.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/03/05 21:28:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/05/28 16:43:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/21 17:18:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 14:28:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 14:28:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/07/06 08:02:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/15 20:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/07/06 08:02:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/03/05 21:44:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/03/15 20:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/07/28 18:11:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions
[2010/06/23 18:38:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/10 13:18:30 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/04 16:37:21 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2010/07/31 12:57:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/25 14:28:39 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/05/28 16:44:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/07/25 14:28:21 | 000,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/07/25 14:28:21 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2010/05/28 16:43:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/25 14:28:30 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/07/25 14:28:32 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/07/25 14:28:32 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/07/25 14:28:32 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/07/25 14:28:32 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/07/25 14:28:32 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/07/25 14:28:32 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/07/25 14:28:32 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/07/22 20:06:13 | 000,610,455 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.pctipp.ch
O1 - Hosts: 127.0.0.1 pctipp.ch
O1 - Hosts: 127.0.0.1 www.raymond.cc
O1 - Hosts: 127.0.0.1 raymond.cc
O1 - Hosts: 127.0.0.1 www.claymania.com
O1 - Hosts: 127.0.0.1 claymania.com
O1 - Hosts: 127.0.0.1 www.elephantboycomputers.com
O1 - Hosts: 127.0.0.1 elephantboycomputers.com
O1 - Hosts: 127.0.0.1 www.it-mate.co.uk
O1 - Hosts: 127.0.0.1 it-mate.co.uk
O1 - Hosts: 127.0.0.1 mysteryfcm.co.uk
O1 - Hosts: 127.0.0.1 www.mysteryfcm.co.uk
O1 - Hosts: 127.0.0.1 www.internetinspiration.co.uk
O1 - Hosts: 127.0.0.1 internetinspiration.co.uk
O1 - Hosts: 127.0.0.1 www.mvps.org
O1 - Hosts: 127.0.0.1 mvps.org
O1 - Hosts: 127.0.0.1 bughunter.it-mate.co.uk
O1 - Hosts: 127.0.0.1 www.bughunter.it-mate.co.uk
O1 - Hosts: 127.0.0.1 www.siri.geekstogo.com
O1 - Hosts: 127.0.0.1 siri.geekstogo.com
O1 - Hosts: 127.0.0.1 siri.urz.free.fr
O1 - Hosts: 127.0.0.1 www.siri.urz.free.fr
O1 - Hosts: 127.0.0.1 noahdfear.geekstogo.com
O1 - Hosts: 127.0.0.1 www.noahdfear.geekstogo.com
O1 - Hosts: 16326 more lines...
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk = C:\Program Files\20-20 Technologies\2020Design\Mswin\60\SCBar.Exe (MKS Informatique)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ATI Tray Tools.lnk = C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.exe (Ray Adams)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 18
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoColorChoice = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoSizeChoice = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoVisualStyleChoice = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1279846118562 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.112.12
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183528496136192)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/28 18:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Office Genuine Advantage
[2010/07/28 18:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/07/28 18:14:44 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Owner\My Documents\My Webs
[2010/07/28 18:07:21 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/07/28 08:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/07/28 07:53:41 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asycfilt.dll
[2010/07/28 07:52:35 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/28 07:51:12 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/07/27 19:50:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/23 20:55:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/07/22 19:31:06 | 000,004,224 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\beep.sys
[2010/07/22 19:31:05 | 029,634,504 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\scan.exe
[2010/07/22 19:31:04 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\tskill.exe
[2010/07/22 19:19:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/07/20 17:30:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth
[2010/07/20 07:34:19 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/07/20 07:17:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/19 22:22:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/07/19 18:00:07 | 000,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/07/19 17:56:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2010/07/19 17:41:45 | 000,339,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2010/07/19 17:37:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVG9
[2010/07/19 08:05:57 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/19 07:55:03 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/07/18 12:36:08 | 000,000,000 | ---D | C] -- C:\Program Files\Playlogic
[2010/07/18 12:32:28 | 000,000,000 | ---D | C] -- C:\Program Files\Alcohol Soft
[2010/07/18 12:05:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/18 12:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/07/18 11:49:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2010/07/18 11:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/07/18 11:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\outlook express
[2010/07/18 11:49:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2010/07/18 11:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2010/07/18 11:49:07 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2010/07/18 11:49:07 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2010/07/18 11:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2010/07/18 11:48:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2010/07/18 11:46:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/18 11:36:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/18 11:30:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/07/18 11:21:17 | 000,000,000 | ---D | C] -- C:\Antispyware mobile
[2010/07/18 11:20:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/18 11:07:07 | 000,697,328 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/07/18 04:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/07/18 03:43:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/18 03:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/17 22:04:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/07/17 22:04:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/07/17 20:26:06 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/17 19:54:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/07/17 17:28:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/17 17:22:20 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/07/17 17:22:02 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/17 17:22:02 | 000,052,872 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/07/17 17:22:01 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/17 17:22:01 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/17 17:21:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/07/17 17:21:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/17 17:21:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/07/17 16:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/17 16:31:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/17 16:11:24 | 000,662,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mscomct2.ocx
[2010/07/17 16:11:24 | 000,413,756 | ---- | C] (DILib) -- C:\WINDOWS\System32\dijpg.dll
[2010/07/17 16:11:24 | 000,212,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RICHTX32.OCX
[2010/07/17 16:11:24 | 000,132,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msinet.ocx
[2010/07/17 16:11:24 | 000,040,960 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\vbalflbr6.dll
[2010/07/17 16:11:23 | 000,124,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2010/07/17 16:10:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\QuickPar
[2010/07/17 16:10:09 | 000,000,000 | ---D | C] -- C:\Program Files\QuickPar
[2010/07/17 16:08:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2010/07/17 16:06:01 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/07/17 15:35:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\GrabIt
[2010/07/17 15:27:50 | 000,000,000 | ---D | C] -- C:\Program Files\GrabIt
[2010/07/16 21:44:31 | 000,036,864 | ---- | C] (TOSHIBA/MEI) -- C:\WINDOWS\System32\SDDEVMGR.dll
[2010/07/16 21:44:31 | 000,000,000 | ---D | C] -- C:\Program Files\Panasonic
[2010/07/16 17:22:08 | 000,106,792 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdm.sys
[2010/07/16 17:22:08 | 000,086,824 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdserd.sys
[2010/07/16 17:22:08 | 000,080,552 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdbus.sys
[2010/07/16 17:22:08 | 000,011,944 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdmdfl.sys
[2010/07/16 17:22:08 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwhnt.sys
[2010/07/16 17:22:08 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdwh.sys
[2010/07/16 17:22:08 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcmnt.sys
[2010/07/16 17:22:08 | 000,009,256 | ---- | C] (MCCI Corporation) -- C:\WINDOWS\System32\drivers\sscdcm.sys
[2010/07/16 17:22:06 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2010/07/15 18:18:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2010/07/08 10:58:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\U3
[2010/07/06 08:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Thunderbird
[2010/07/06 08:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Thunderbird
[2010/07/06 08:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2010/07/03 16:53:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Ventrilo
[2010/07/03 16:52:14 | 000,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2010/07/03 16:51:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/03/05 19:00:30 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/01 11:45:21 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\md5h8m2u.exe
[2010/08/01 11:36:26 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A1024902-1157-4F08-AFB6-142215FD8C43}.job
[2010/08/01 11:34:27 | 000,000,006 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{236A396C-FBDD-4753-A26C-D000E35D99A9}
[2010/08/01 11:34:22 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/08/01 11:34:21 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2010/08/01 11:26:02 | 062,834,491 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/08/01 11:19:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/01 11:19:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/01 11:19:48 | 1610,145,792 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/01 08:19:41 | 000,003,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000002-100A1102}.rfx
[2010/08/01 08:19:41 | 000,003,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000002-100A1102}.rfx
[2010/08/01 08:19:29 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/08/01 08:19:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/08/01 06:02:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/31 19:28:09 | 004,849,976 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/29 10:10:02 | 000,260,328 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/28 08:03:59 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/28 08:03:59 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/28 08:03:59 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/27 19:50:13 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/27 08:39:34 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/25 15:31:02 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/23 17:29:23 | 000,000,251 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\ax_files.xml
[2010/07/22 20:41:58 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/22 20:06:13 | 000,610,455 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/07/22 20:06:13 | 000,610,455 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\HOSTS
[2010/07/22 20:06:13 | 000,004,512 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\hpregfix.reg
[2010/07/22 20:06:13 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\beep.sys
[2010/07/22 20:06:13 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\beep.sys
[2010/07/22 20:06:13 | 000,003,008 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\bgregfix.reg
[2010/07/22 20:06:13 | 000,002,600 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\exefix.reg
[2010/07/22 20:06:13 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\databasepath.reg
[2010/07/22 20:06:12 | 029,634,504 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\scan.exe
[2010/07/22 20:06:12 | 000,951,291 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\remregfix.reg
[2010/07/22 20:06:12 | 000,018,308 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IEDef.reg
[2010/07/22 20:06:12 | 000,005,228 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\nfig.reg
[2010/07/22 20:06:12 | 000,004,994 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\s.reg
[2010/07/22 20:06:12 | 000,001,754 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\regf.reg
[2010/07/22 20:06:12 | 000,000,890 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\Remove-itRestorePoint.vbs
[2010/07/22 20:05:59 | 000,016,384 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Local Settings\Application Data\tskill.exe
[2010/07/22 19:31:38 | 000,610,455 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.PCB
[2010/07/22 19:04:58 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/07/20 10:16:08 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/20 10:16:07 | 000,000,658 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/20 10:16:07 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/20 07:34:19 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/07/19 18:00:07 | 000,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/07/19 08:09:52 | 000,000,669 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HitmanPro35.lnk
[2010/07/19 08:07:56 | 000,000,048 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/19 08:05:59 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/19 08:05:57 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/19 08:05:57 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/19 08:05:47 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/19 08:05:45 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys
[2010/07/19 08:03:27 | 000,000,438 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\log.xml
[2010/07/18 12:38:13 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Building & Co.lnk
[2010/07/18 12:32:51 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk
[2010/07/18 12:25:53 | 000,697,328 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/07/17 17:24:03 | 000,142,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/07/17 17:22:02 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/17 17:22:02 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/07/17 17:21:59 | 006,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/07/17 17:21:59 | 000,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/07/17 16:18:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\xztkleq.sys
[2010/07/17 16:18:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\zyuzv.sys
[2010/07/17 16:13:45 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qbinewe.dat
[2010/07/17 16:13:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Svahe.bin
[2010/07/17 16:11:24 | 000,010,562 | ---- | M] () -- C:\WINDOWS\is-KVGNP.msg
[2010/07/17 16:11:24 | 000,000,779 | ---- | M] () -- C:\WINDOWS\is-KVGNP.lst
[2010/07/17 16:10:09 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\QuickPar.lnk
[2010/07/17 15:27:50 | 000,000,624 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\GrabIt.lnk
[2010/07/17 15:27:50 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GrabIt.lnk
[2010/07/16 18:52:12 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2010/07/15 18:31:53 | 000,002,097 | ---- | M] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2010/07/03 16:52:22 | 000,000,262 | ---- | M] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/07/03 16:52:20 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/01 11:45:19 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\md5h8m2u.exe
[2010/07/28 08:00:08 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/07/27 19:50:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/27 19:50:07 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/23 17:17:41 | 1610,145,792 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/22 19:31:06 | 000,951,291 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\remregfix.reg
[2010/07/22 19:31:06 | 000,610,455 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\HOSTS
[2010/07/22 19:31:06 | 000,018,308 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IEDef.reg
[2010/07/22 19:31:06 | 000,005,228 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\nfig.reg
[2010/07/22 19:31:06 | 000,004,994 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\s.reg
[2010/07/22 19:31:06 | 000,004,512 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\hpregfix.reg
[2010/07/22 19:31:06 | 000,003,008 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\bgregfix.reg
[2010/07/22 19:31:06 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\exefix.reg
[2010/07/22 19:31:06 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\regf.reg
[2010/07/22 19:31:06 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\databasepath.reg
[2010/07/22 19:31:06 | 000,000,890 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\Remove-itRestorePoint.vbs
[2010/07/19 08:09:52 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HitmanPro35.lnk
[2010/07/19 08:07:56 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/07/19 08:03:27 | 000,000,438 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\log.xml
[2010/07/18 15:27:19 | 000,000,251 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\ax_files.xml
[2010/07/18 12:38:13 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Building & Co.lnk
[2010/07/18 12:32:51 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Alcohol 120%.lnk
[2010/07/18 11:31:02 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/07/17 20:12:53 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/17 17:28:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/17 17:22:02 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/17 17:22:02 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 9.0.lnk
[2010/07/17 17:21:59 | 062,834,491 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/17 17:21:59 | 006,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2010/07/17 17:21:59 | 000,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2010/07/17 17:21:59 | 000,142,495 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2010/07/17 16:14:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\zyuzv.sys
[2010/07/17 16:13:45 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qbinewe.dat
[2010/07/17 16:13:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Svahe.bin
[2010/07/17 16:12:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\xztkleq.sys
[2010/07/17 16:11:24 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\actskn43.ocx
[2010/07/17 16:11:24 | 000,010,562 | ---- | C] () -- C:\WINDOWS\is-KVGNP.msg
[2010/07/17 16:11:24 | 000,000,779 | ---- | C] () -- C:\WINDOWS\is-KVGNP.lst
[2010/07/17 16:10:09 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\QuickPar.lnk
[2010/07/17 15:27:50 | 000,000,624 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\GrabIt.lnk
[2010/07/17 15:27:50 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GrabIt.lnk
[2010/07/16 18:52:12 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2010/07/15 18:31:53 | 000,002,097 | ---- | C] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2010/07/03 16:52:19 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2010/07/03 16:52:10 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/06/22 19:15:38 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/06/15 19:51:17 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2010/06/15 19:39:29 | 000,651,264 | R--- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/06/15 19:39:29 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/05/31 10:13:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/05/12 20:26:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mksregedit.INI
[2010/05/12 19:45:13 | 000,000,141 | ---- | C] () -- C:\WINDOWS\rprtvwr.ini
[2010/05/12 19:44:29 | 000,327,680 | ---- | C] () -- C:\WINDOWS\System32\SmaRTEng.dll
[2010/03/05 20:44:08 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2010/03/05 20:30:48 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/03/05 20:30:48 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/03/05 20:30:46 | 002,378,752 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2010/03/05 20:30:45 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/03/05 20:30:45 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/03/05 20:30:45 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/03/05 20:30:43 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/03/05 20:30:43 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/10/19 04:34:58 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

========== LOP Check ==========

[2010/07/27 21:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/19 22:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/07/18 11:30:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/07/19 17:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG9
[2010/03/05 20:30:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Foxit
[2010/07/27 08:10:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GrabIt
[2010/07/15 18:31:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2010/06/08 18:26:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LimeWire
[2010/07/06 08:02:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thunderbird
[2010/07/22 20:41:58 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/08/01 11:34:22 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2010/08/01 11:36:26 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A1024902-1157-4F08-AFB6-142215FD8C43}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/07/20 10:16:08 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/27 19:50:13 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/03/05 21:19:38 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/08/01 11:19:48 | 1610,145,792 | -HS- | M] () -- C:\hiberfil.sys
[2003/12/08 13:15:56 | 000,028,672 | R--- | M] ( ) -- C:\hpqimgrc.resources.dll
[2010/03/05 21:19:38 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/03/05 21:19:38 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/03/05 14:23:26 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/03/05 14:23:25 | 001,073,152 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/03/05 14:23:25 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/07/19 08:05:47 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/07/19 08:05:57 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/07/19 08:05:45 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgrkx86.sys
[2010/07/19 08:05:59 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/07/22 20:06:13 | 000,004,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\beep.sys
[2010/07/22 19:04:58 | 000,016,968 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/07/20 07:34:19 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\system32\drivers\SBREDrv.sys
[2010/07/18 12:25:53 | 000,697,328 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\system32\drivers\sptd.sys
[2010/07/17 16:18:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\drivers\xztkleq.sys
[2010/07/17 16:18:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\drivers\zyuzv.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/08/14 10:19:28 | 000,091,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
< End of report >


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 02 August 2010 - 06:36 AM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 02 August 2010 - 04:11 PM

ComboFix 10-08-02.01 - Owner 08/02/2010 17:01:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1100 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
ADS - svchost.exe: deleted 26 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\87ghd.log

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-02 20:24 . 2010-07-27 06:28 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-28 22:14 . 2010-07-28 22:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage
2010-07-28 22:14 . 2010-07-28 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-28 11:53 . 2010-03-05 14:37 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll
2010-07-28 11:52 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-28 11:51 . 2010-05-06 10:36 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-20 21:30 . 2010-07-20 21:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2010-07-20 11:34 . 2010-07-20 11:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 02:22 . 2010-07-20 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-19 22:00 . 2010-07-19 22:00 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-07-19 21:56 . 2010-07-19 21:57 -------- d-----w- c:\windows\ERUNT
2010-07-19 21:41 . 2008-10-15 16:25 339456 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-07-19 11:55 . 2010-07-19 12:09 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-18 16:36 . 2010-07-18 16:36 -------- d-----w- c:\program files\Playlogic
2010-07-18 16:32 . 2010-07-18 16:32 -------- d-----w- c:\program files\Alcohol Soft
2010-07-18 16:04 . 2010-07-18 16:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\xircom
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\wbem\snmp
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\oobe
2010-07-18 15:48 . 2010-07-18 15:48 -------- d-----w- c:\program files\microsoft frontpage
2010-07-18 15:31 . 2010-07-22 23:04 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-18 15:30 . 2010-07-18 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-18 15:21 . 2010-07-18 16:11 -------- d-----w- C:\Antispyware mobile
2010-07-18 15:20 . 2010-07-18 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-18 15:14 . 2010-07-18 15:14 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-18 15:14 . 2010-07-18 15:14 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-18 15:14 . 2010-07-18 15:14 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 15:07 . 2010-07-18 16:25 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-18 02:04 . 2010-07-18 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-07-18 02:04 . 2010-07-18 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-18 00:26 . 2010-07-18 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-17 23:54 . 2010-07-23 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-17 21:28 . 2010-07-25 19:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-17 21:21 . 2010-07-17 21:21 -------- d-----w- c:\program files\AVG
2010-07-17 20:14 . 2010-07-17 20:18 0 ----a-w- c:\windows\system32\drivers\zyuzv.sys
2010-07-17 20:13 . 2010-07-17 20:13 120 ----a-w- c:\windows\Qbinewe.dat
2010-07-17 20:13 . 2010-07-17 20:13 0 ----a-w- c:\windows\Svahe.bin
2010-07-17 20:12 . 2010-07-17 20:18 0 ----a-w- c:\windows\system32\drivers\xztkleq.sys
2010-07-17 20:11 . 2002-12-16 17:27 40960 ----a-w- c:\windows\system32\vbalflbr6.dll
2010-07-17 20:11 . 1999-06-20 05:51 413756 ----a-w- c:\windows\system32\dijpg.dll
2010-07-17 20:10 . 2010-07-20 02:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\QuickPar
2010-07-17 20:10 . 2010-07-17 20:10 -------- d-----w- c:\program files\QuickPar
2010-07-17 19:35 . 2010-07-27 12:10 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabIt
2010-07-17 19:27 . 2010-07-17 19:27 -------- d-----w- c:\program files\GrabIt
2010-07-17 01:44 . 2010-07-17 01:44 -------- d-----w- c:\program files\Panasonic
2010-07-17 01:44 . 2006-02-27 15:45 36864 ----a-w- c:\windows\system32\SDDEVMGR.dll
2010-07-16 21:22 . 2007-07-03 21:00 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-07-16 21:22 . 2007-07-03 21:00 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-07-16 21:22 . 2007-07-03 20:59 86824 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2010-07-16 21:22 . 2007-07-03 20:58 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-07-16 21:22 . 2007-07-03 20:57 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-07-16 21:22 . 2007-07-03 20:56 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-07-16 21:22 . 2007-07-03 20:56 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-07-16 21:22 . 2007-07-03 20:54 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-07-16 21:22 . 2010-07-16 21:22 -------- d-----w- c:\program files\Samsung
2010-07-15 22:18 . 2010-07-15 22:31 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-07-08 14:58 . 2010-07-08 14:59 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-06 12:38 . 2009-12-09 21:31 20992 ----a-w- c:\documents and settings\Owner\Application Data\Thunderbird\Profiles\x8ap3sp4.default\extensions\{de1b245c-de57-11da-ba2d-0050c2490048}\library\WINNT-32\MinimizeToTrayPlus.dll
2010-07-06 12:02 . 2010-07-06 12:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thunderbird
2010-07-06 12:02 . 2010-07-06 12:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2010-07-06 12:02 . 2010-07-06 12:02 -------- d-----w- c:\program files\Mozilla Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 21:02 . 2009-10-19 08:27 14848 ----a-w- c:\windows\system32\svchost.exe
2010-07-23 00:05 . 2010-07-22 23:31 16384 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\tskill.exe
2010-07-20 10:40 . 2010-03-06 00:44 -------- d-----w- c:\program files\MultiRes
2010-07-18 00:18 . 2010-07-03 20:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-17 01:44 . 2010-03-06 00:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-16 22:51 . 2010-05-31 14:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-16 21:22 . 2010-03-06 00:44 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-03 20:55 . 2010-07-03 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Ventrilo
2010-07-03 20:52 . 2010-07-03 20:52 -------- d-----w- c:\program files\Ventrilo
2010-06-27 18:15 . 2010-06-27 18:15 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2010-06-24 21:26 . 2010-06-24 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-06-24 21:26 . 2010-06-24 21:26 -------- d-----w- c:\program files\Logitech
2010-06-22 23:17 . 2010-06-22 23:17 -------- d-----w- c:\program files\GPLGS
2010-06-22 23:15 . 2010-06-22 23:15 -------- d-----w- c:\program files\Acro Software
2010-06-22 21:30 . 2010-06-22 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-15 23:51 . 2010-06-15 23:51 -------- d-----w- c:\program files\ANI
2010-06-15 23:50 . 2010-06-15 23:50 -------- d-----w- c:\program files\D-Link
2010-06-15 23:50 . 2010-06-15 23:50 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-15 21:34 . 2010-03-07 14:05 64632 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-03-06 01:17 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 12:31 . 2010-06-10 21:45 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2010-06-10 21:45 . 2010-06-10 21:44 -------- d-----w- c:\program files\Tablet
2010-06-08 22:26 . 2010-03-16 00:55 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-06-08 21:28 . 2010-06-08 21:27 -------- d-----w- c:\program files\GIMP-2.0
2010-06-08 21:16 . 2010-06-08 21:16 -------- d-----w- c:\program files\Trend Micro
2010-06-06 14:48 . 2010-04-19 01:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2010-06-04 22:21 . 2010-03-06 01:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 12:46 . 2010-04-19 01:06 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 12:46 . 2010-04-19 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 12:37 . 2010-06-04 12:37 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 12:37 . 2010-04-19 00:58 -------- d-----w- c:\program files\DivX
2010-06-04 12:37 . 2010-06-04 12:37 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 12:13 . 2010-04-19 00:58 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-06-04 12:13 . 2010-04-19 01:03 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 12:13 . 2010-04-19 01:03 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-31 14:53 . 2010-05-12 00:03 104157 ----a-w- c:\windows\hpoins04.dat
2010-05-31 14:47 . 2010-05-31 14:47 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-05-28 20:44 . 2010-05-28 20:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\msvcp71.dll
2010-05-28 20:44 . 2010-05-28 20:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\jmc.dll
2010-05-28 20:44 . 2010-05-28 20:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\msvcr71.dll
2010-05-28 20:44 . 2010-05-28 20:44 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6515d892-n\decora-sse.dll
2010-05-28 20:44 . 2010-05-28 20:44 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6515d892-n\decora-d3d.dll
2010-05-28 20:43 . 2010-05-28 20:44 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 21:29 . 2010-05-26 21:29 319488 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-05-11 11:29 . 2010-05-11 11:29 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-06 10:36 . 2009-10-19 08:27 919040 ----a-w- c:\windows\system32\wininet.dll
.

------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ATI Tray Tools.lnk - c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.exe [2007-12-31 570528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - c:\program files\20-20 Technologies\2020Design\mswin\60\scbar.exe [2010-5-13 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [3/5/2010 8:44 PM 17952]
R2 sentemu;SentEMU;c:\windows\system32\drivers\SENTEMU.SYS [5/12/2010 7:36 PM 24608]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [6/15/2010 7:50 PM 547744]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [6/24/2010 5:26 PM 14856]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/10/2010 5:44 PM 15144]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/18/2010 11:07 AM 697328]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [6/10/2010 5:44 PM 3032360]
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-02 c:\windows\Tasks\User_Feed_Synchronization-{A1024902-1157-4F08-AFB6-142215FD8C43}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(432)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-02 17:09:24
ComboFix-quarantined-files.txt 2010-08-02 21:09

Pre-Run: 66,630,467,584 bytes free
Post-Run: 66,873,962,496 bytes free

- - End Of File - - 9D0C29B4CC7B9444C5044C32A43E236F


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 02 August 2010 - 06:57 PM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\drivers\zyuzv.sys
c:\windows\system32\svchost.exe
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\user32.dll
c:\windows\system32\user32.dll


This will produce a report after the scan is complete, please copy and paste those results in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 03 August 2010 - 03:49 PM

I expected it to generate a log file when i was done, but it didn't I assume I was supposed to copy and paste after each file scan, the outcome. I apologize for the brain fart. I did however use both scanners and they both reported no problems with any of the files, except the first file, c:\windows\system32\drivers\zyuzv.sys, that file is 0 bytes and I got an error saying that it was 0 bytes.



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 03 August 2010 - 05:27 PM

Ok that is as much as I expected.
Please do these 2 again and post the information on the screen that appears for each file.
You can copy the information and paste it here.

c:\windows\system32\svchost.exe
c:\windows\system32\user32.dll
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 04 August 2010 - 07:16 PM


Jotti's malware scan
Filename: svchost.exe
Status:
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 5 Aug 2010 02:11:53 (CET) Permalink

Additional info
File size: 14848 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 67e38b4a549833e02d4d1617b5dbc318
SHA1: 86822a42cebee91fb95009f787d783a63e7905f3




Scanners
[ArcaVir]
2010-08-05 Found nothing
[G DATA]
2010-08-04 Found nothing
[Avast! antivirus]
2010-08-04 Found nothing
[Ikarus]
2010-08-04 Found nothing
[Grisoft AVG Anti-Virus]
2010-08-04 Found nothing
[Kaspersky Anti-Virus]
2010-08-04 Found nothing
[Avira AntiVir]
2010-08-04 Found nothing
[ESET NOD32]
2010-08-04 Found nothing
[Softwin BitDefender]
2010-08-04 Found nothing
[Panda Antivirus]
2010-08-04 Found nothing
[ClamAV]
2010-08-04 Found nothing
[Quick Heal]
2010-08-04 Found nothing
[CPsecure]
2010-08-05 Found nothing
[Sophos]
2010-08-05 Found nothing
[Dr.Web]
2010-08-05 Found nothing
[VirusBlokAda VBA32]
2010-08-04 Found nothing
[Frisk F-Prot Antivirus]
2010-08-04 Found nothing
[VirusBuster]
2010-08-04 Found nothing
[F-Secure Anti-Virus]
2010-08-04 Found nothing




Jotti's malware scan
Filename: user32.dll
Status:
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Thu 5 Aug 2010 02:14:01 (CET) Permalink

Additional info
File size: 578560 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 3de22354c3609b3c3e5dc2c19c5e0693
SHA1: 1d8ed6741e0f37312dc6c38ce00fac0e2f047d8f




Scanners
[ArcaVir]
2010-08-05 Found nothing
[G DATA]
2010-08-04 Found nothing
[Avast! antivirus]
2010-08-04 Found nothing
[Ikarus]
2010-08-04 Found nothing
[Grisoft AVG Anti-Virus]
2010-08-04 Found nothing
[Kaspersky Anti-Virus]
2010-08-04 Found nothing
[Avira AntiVir]
2010-08-04 Found nothing
[ESET NOD32]
2010-08-04 Found nothing
[Softwin BitDefender]
2010-08-04 Found nothing
[Panda Antivirus]
2010-08-04 Found nothing
[ClamAV]
2010-08-04 Found nothing
[Quick Heal]
2010-08-04 Found nothing
[CPsecure]
2010-08-05 Found nothing
[Sophos]
2010-08-05 Found nothing
[Dr.Web]
2010-08-05 Found nothing
[VirusBlokAda VBA32]
2010-08-04 Found nothing
[Frisk F-Prot Antivirus]
2010-08-04 Found nothing
[VirusBuster]
2010-08-04 Found nothing
[F-Secure Anti-Virus]
2010-08-04 Found nothing




#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 05 August 2010 - 06:01 AM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
http://www.bleepingcomputer.com/forums/t/334230/infected-with-virus-that-affects-svchost/?p=1872331

Collect::
c:\windows\system32\drivers\zyuzv.sys
c:\windows\Qbinewe.dat
c:\windows\Svahe.bin
c:\windows\system32\drivers\xztkleq.sys

SrPeek::
c:\windows\system32\drivers\tcpip.sys
c:\windows\System32\wscntfy.exe

MIA::
c:\windows\system32\drivers\tcpip.sys
c:\windows\System32\wscntfy.exe


2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 06 August 2010 - 05:47 PM

Ok, it said that it submitted it, but I just uploaded it manually, just in case

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 07 August 2010 - 06:35 AM

OK can you please post the newest combofix log it should be saved here C:\Combofix.txt.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 07 August 2010 - 01:15 PM

ComboFix 10-08-05.02 - Owner 08/05/2010 18:26:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1168 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

file zipped: c:\windows\Qbinewe.dat
file zipped: c:\windows\Svahe.bin
file zipped: c:\windows\system32\drivers\xztkleq.sys
file zipped: c:\windows\system32\drivers\zyuzv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\Qbinewe.dat
c:\windows\Svahe.bin
c:\windows\system32\drivers\xztkleq.sys
c:\windows\system32\drivers\zyuzv.sys

c:\windows\System32\wscntfy.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 00:17 . 2010-08-05 00:17 -------- d-----w- c:\program files\ESET
2010-08-04 22:18 . 2010-08-04 22:18 -------- d-----w- c:\program files\Recuva
2010-08-04 21:30 . 2010-07-27 02:30 705208 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-08-04 21:30 . 2010-07-27 02:30 978664 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-08-04 11:14 . 2010-08-04 11:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-04 10:57 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-04 10:57 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-04 10:57 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-04 10:57 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-04 10:57 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-04 10:57 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-04 10:57 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-04 10:57 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-04 10:57 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-04 10:56 . 2010-08-04 10:56 -------- d-----w- c:\program files\Alwil Software
2010-08-04 10:56 . 2010-08-04 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-04 10:48 . 2010-08-05 02:25 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
2010-08-04 10:19 . 2010-08-04 10:20 0 ----a-w- c:\windows\system32\drivers\svpxfi.sys
2010-08-04 10:19 . 2010-08-04 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-02 20:24 . 2010-07-27 06:28 8463360 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-28 22:14 . 2010-07-28 22:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage
2010-07-28 22:14 . 2010-07-28 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-28 11:53 . 2010-03-05 14:37 65536 ------w- c:\windows\system32\dllcache\asycfilt.dll
2010-07-28 11:52 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-28 11:51 . 2010-05-06 10:36 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-20 21:30 . 2010-07-20 21:30 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2010-07-20 11:34 . 2010-07-20 11:34 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 02:22 . 2010-07-20 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-19 22:00 . 2010-07-19 22:00 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-07-19 21:56 . 2010-07-19 21:57 -------- d-----w- c:\windows\ERUNT
2010-07-19 21:41 . 2008-10-15 16:25 339456 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-07-19 11:55 . 2010-07-19 12:09 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-18 16:36 . 2010-07-18 16:36 -------- d-----w- c:\program files\Playlogic
2010-07-18 16:32 . 2010-07-18 16:32 -------- d-----w- c:\program files\Alcohol Soft
2010-07-18 16:04 . 2010-07-18 16:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\xircom
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\wbem\snmp
2010-07-18 15:49 . 2010-07-18 15:49 -------- d-----w- c:\windows\system32\oobe
2010-07-18 15:48 . 2010-07-18 15:48 -------- d-----w- c:\program files\microsoft frontpage
2010-07-18 15:31 . 2010-08-04 18:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-18 15:30 . 2010-08-04 11:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-07-18 15:21 . 2010-07-18 16:11 -------- d-----w- C:\Antispyware mobile
2010-07-18 15:20 . 2010-07-18 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-18 15:14 . 2010-07-18 15:14 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-18 15:14 . 2010-07-18 15:14 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-18 15:14 . 2010-07-18 15:14 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 15:07 . 2010-07-18 16:25 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-07-18 02:04 . 2010-07-18 02:04 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-07-18 02:04 . 2010-07-18 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-18 00:26 . 2010-07-18 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-17 23:54 . 2010-07-23 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-17 21:28 . 2010-07-25 19:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-17 21:21 . 2010-07-17 21:21 -------- d-----w- c:\program files\AVG
2010-07-17 20:11 . 2002-12-16 17:27 40960 ----a-w- c:\windows\system32\vbalflbr6.dll
2010-07-17 20:11 . 1999-06-20 05:51 413756 ----a-w- c:\windows\system32\dijpg.dll
2010-07-17 20:10 . 2010-08-04 10:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\QuickPar
2010-07-17 20:10 . 2010-07-17 20:10 -------- d-----w- c:\program files\QuickPar
2010-07-17 19:35 . 2010-08-04 10:15 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabIt
2010-07-17 19:27 . 2010-07-17 19:27 -------- d-----w- c:\program files\GrabIt
2010-07-17 01:44 . 2010-07-17 01:44 -------- d-----w- c:\program files\Panasonic
2010-07-17 01:44 . 2006-02-27 15:45 36864 ----a-w- c:\windows\system32\SDDEVMGR.dll
2010-07-16 21:22 . 2007-07-03 21:00 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2010-07-16 21:22 . 2007-07-03 21:00 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2010-07-16 21:22 . 2007-07-03 20:59 86824 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2010-07-16 21:22 . 2007-07-03 20:58 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2010-07-16 21:22 . 2007-07-03 20:57 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2010-07-16 21:22 . 2007-07-03 20:56 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2010-07-16 21:22 . 2007-07-03 20:56 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2010-07-16 21:22 . 2007-07-03 20:54 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2010-07-16 21:22 . 2010-07-16 21:22 -------- d-----w- c:\program files\Samsung
2010-07-15 22:18 . 2010-07-15 22:31 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-07-08 14:58 . 2010-07-08 14:59 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 21:53 . 2010-06-22 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-08-04 19:46 . 2010-03-06 00:30 -------- d-----w- c:\program files\Unlocker
2010-07-23 21:02 . 2009-10-19 08:27 14848 ----a-w- c:\windows\system32\svchost.exe
2010-07-23 00:05 . 2010-07-22 23:31 16384 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\tskill.exe
2010-07-20 10:40 . 2010-03-06 00:44 -------- d-----w- c:\program files\MultiRes
2010-07-18 00:18 . 2010-07-03 20:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-17 01:44 . 2010-03-06 00:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-16 22:51 . 2010-05-31 14:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-16 21:22 . 2010-03-06 00:44 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-06 12:02 . 2010-07-06 12:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2010-07-06 12:02 . 2010-07-06 12:02 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-03 20:55 . 2010-07-03 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Ventrilo
2010-07-03 20:52 . 2010-07-03 20:52 -------- d-----w- c:\program files\Ventrilo
2010-06-27 18:15 . 2010-06-27 18:15 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2010-06-24 21:26 . 2010-06-24 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-06-24 21:26 . 2010-06-24 21:26 -------- d-----w- c:\program files\Logitech
2010-06-22 23:17 . 2010-06-22 23:17 -------- d-----w- c:\program files\GPLGS
2010-06-22 23:15 . 2010-06-22 23:15 -------- d-----w- c:\program files\Acro Software
2010-06-15 23:51 . 2010-06-15 23:51 -------- d-----w- c:\program files\ANI
2010-06-15 23:50 . 2010-06-15 23:50 -------- d-----w- c:\program files\D-Link
2010-06-15 23:50 . 2010-06-15 23:50 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-15 21:34 . 2010-03-07 14:05 64632 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-03-06 01:17 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-13 12:31 . 2010-06-10 21:45 -------- d-----w- c:\documents and settings\Owner\Application Data\WTablet
2010-06-10 21:45 . 2010-06-10 21:44 -------- d-----w- c:\program files\Tablet
2010-06-08 22:26 . 2010-03-16 00:55 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-06-08 21:28 . 2010-06-08 21:27 -------- d-----w- c:\program files\GIMP-2.0
2010-06-08 21:16 . 2010-06-08 21:16 -------- d-----w- c:\program files\Trend Micro
2010-06-04 12:46 . 2010-04-19 01:06 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 12:37 . 2010-06-04 12:37 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-04 12:37 . 2010-06-04 12:37 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 12:13 . 2010-04-19 00:58 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-06-04 12:13 . 2010-04-19 01:03 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 12:13 . 2010-04-19 01:03 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-31 14:53 . 2010-05-12 00:03 104157 ----a-w- c:\windows\hpoins04.dat
2010-05-31 14:47 . 2010-05-31 14:47 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-05-28 20:44 . 2010-05-28 20:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\msvcp71.dll
2010-05-28 20:44 . 2010-05-28 20:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\jmc.dll
2010-05-28 20:44 . 2010-05-28 20:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-16b9c417-n\msvcr71.dll
2010-05-28 20:44 . 2010-05-28 20:44 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6515d892-n\decora-sse.dll
2010-05-28 20:44 . 2010-05-28 20:44 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6515d892-n\decora-d3d.dll
2010-05-28 20:43 . 2010-05-28 20:44 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 21:29 . 2010-05-26 21:29 319488 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-05-11 11:29 . 2010-05-11 11:29 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-11 11:29 . 2010-05-11 11:29 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\recycler\S-1-5-21-484763869-1078145449-1417001333-1003\Dc1\tcpip.sys [x]
[-] BA8C046D98345129723E6BCAA1E8AB99 361600 \RP14\A0010573.sys
.
------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ATI Tray Tools.lnk - c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.exe [2007-12-31 570528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
20-20 Shortcut Bar.lnk - c:\program files\20-20 Technologies\2020Design\mswin\60\scbar.exe [2010-5-13 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/4/2010 6:57 AM 165456]
R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [3/5/2010 8:44 PM 17952]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/4/2010 6:57 AM 17744]
R2 sentemu;SentEMU;c:\windows\system32\drivers\SENTEMU.SYS [5/12/2010 7:36 PM 24608]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [6/15/2010 7:50 PM 547744]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [10/19/2009 4:29 AM 9472]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [6/24/2010 5:26 PM 14856]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/10/2010 5:44 PM 15144]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/18/2010 11:07 AM 697328]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [6/10/2010 5:44 PM 3032360]
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-08-05 c:\windows\Tasks\User_Feed_Synchronization-{A1024902-1157-4F08-AFB6-142215FD8C43}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101046100&s=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\r3ow8tre.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101046100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 18:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-05 18:34:29
ComboFix-quarantined-files.txt 2010-08-05 22:34

Pre-Run: 66,626,625,536 bytes free
Post-Run: 66,695,307,264 bytes free

- - End Of File - - 24B1D1F84B33FEFB4AAC709300FC2E51
Upload was successful


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:46 AM

Posted 07 August 2010 - 02:41 PM

Hi do you have your Windows Xp pro disk handy?
Or do you know someone that has one you can borrow?

We will need it as you have some files missing from the operating system that need to be replaced.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Cabinetguy

Cabinetguy
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 09 August 2010 - 11:44 AM

yes, I have one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users