Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SPAM virus causes pop-ups with Symantec email proxy alerts


  • This topic is locked This topic is locked
10 replies to this topic

#1 jimmakos7

jimmakos7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 19 August 2010 - 04:11 AM

A user on our network got a virus. Whenever connected to the internet, something is trying to send spam mail and we get the symantec email proxy error messages by the 10s. The messages are exactly like those shown here: http://www.symantec.com/connect/forums/bom...ups-screenshots

I should also add that when I remove the user from the network, all is fine. The second I put the network cable in and the user gets an IP I get many pop-ups (50 or more). After many minutes I get pop-ups again.

I had done some tests. First I scanned with MBAM and it didn't find anything. Symantec Endpoint Protection v.11 doesn't find anything. I tried SUPERAntiSpyware and it showed me that the PC is infected with Rootkit.Agent/Gen-TDSS on C:\\WINDOWS\SYSTEM32\DRIVERS\OYJQUW.SYS . I tried removing it and rebooted the PC but the rootkit wasn't removed (I saw from other posts that I am not the only one with that problem). I got new pop ups again.

I then checked with GMER and OTL. I had read something about Combofix.exe about this Rootkit but I will wait till you tell me to run it.

I post now the logs from MBAM, GMER and OTL

NOTE : I had problems running GMER. I had to run GMER in Safe Mode and uncheck the Devices checkbox in order to get it finished. I was getting automatic restarts and some black screens after the restarts. It wasn't even able to boot in Safe Mode so I had to manually get the hard drive on a second PC (as a second hard drive) and perform a check disk on it.

NOTE2 : I had posted another topic ( http://www.bleepingcomputer.com/forums/t/340597/rootkitagentgen-tdss-need-your-help-to-remove-it/ ) about this issue but I am afraid it wasn't detailed enough. I am a new user of the forum so please excuse me. You can delete that topic if you want.

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4443

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

18/8/2010 9:56:09 πμ
mbam-log-2010-08-18 (09-56-09).txt

Scan type: Quick scan
Objects scanned: 197630
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-19 11:11:40
Windows 5.1.2600 Service Pack 2
Running: tlq00bdh.exe; Driver: C:\DOCUME~1\peggy\LOCALS~1\Temp\kwkdrkog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text oyjquw.sys F74B6000 12 Bytes JMP F7507BC2 oyjquw.sys
.text oyjquw.sys F74B600D 5 Bytes [00, 9C, E9, F6, 19]
.text oyjquw.sys F74B6019 61 Bytes CALL F03B3264
.text oyjquw.sys F74B605D 8 Bytes [9F, 66, 0F, AB, C2, 66, 8B, ...]
.text oyjquw.sys F74B6066 271 Bytes [66, 91, F8, 66, 8B, 45, 02, ...]
.text ...
? C:\WINDOWS\system32\drivers\oyjquw.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7355C55 4 Bytes CALL 863E7661

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] kwkpwtvg <-- ROOTKIT !!!
Service (*** hidden *** ) [BOOT] oyjquw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@DisplayName Helper Time
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg@Description Provides the endpoint mapper and other miscellaneous RPC services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwkpwtvg\Parameters@ServiceDll C:\WINDOWS\system32\ewzwmzm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyjquw@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyjquw@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyjquw@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\oyjquw@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@DisplayName Helper Time
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg@Description Provides the endpoint mapper and other miscellaneous RPC services.
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kwkpwtvg\Parameters@ServiceDll C:\WINDOWS\system32\ewzwmzm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\oyjquw@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\oyjquw@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\oyjquw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\oyjquw@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


OTL log with Extras :

OTL logfile created on: 19/8/2010 11:31:49 πμ - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\peggy\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000408 | Country: Greece | Language: ELL | Date Format: d/M/yyyy

1.015,00 Mb Total Physical Memory | 478,00 Mb Available Physical Memory | 47,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 76,00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 60,99 Gb Free Space | 81,84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SECRETERIAT_NEW
Current User Name: Stavroula
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\peggy\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe (Symantec)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe ()
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\system32\BRSS01A.EXE (brother Industries Ltd)
PRC - C:\WINDOWS\system32\BRSVC01A.EXE (brother Industries Ltd)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\peggy\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Norton Ghost) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
SRV - (SymSnapService) -- C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe (Symantec)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
SRV - (Brother XP spl Service) -- C:\WINDOWS\system32\BRSVC01A.EXE (brother Industries Ltd)


========== Driver Services (SafeList) ==========

DRV - (SetupNTGLM7X) -- D:\NTGLM7X.sys File not found
DRV - (NTACCESS) -- D:\NTACCESS.sys File not found
DRV - (MSICPL) -- D:\install4\MSICPL.sys File not found
DRV - (KdsMm) -- C:\WINDOWS\System32\drivers\kdsmm.sys File not found
DRV - (GMSIPCI) -- D:\INSTALL\GMSIPCI.SYS File not found
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100818.033\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100818.033\NAVENG.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (symsnap) -- C:\WINDOWS\system32\DRIVERS\symsnap.sys (StorageCraft)
DRV - (v2imount) -- C:\WINDOWS\system32\drivers\v2imount.sys (Symantec Corporation)
DRV - (WimFltr) -- C:\WINDOWS\system32\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (VProEventMonitor) -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (CyUsb) -- C:\WINDOWS\system32\drivers\CyUsb.sys (Cypress Semiconductor)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (Winacusb) -- C:\WINDOWS\system32\drivers\winacusb.sys (U.S. Robotics)
DRV - (Blfp) -- C:\WINDOWS\system32\drivers\baspxp32.sys (Broadcom Corporation)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (adpu320) -- C:\WINDOWS\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)
DRV - (scsiscan) -- C:\WINDOWS\system32\drivers\scsiscan.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.in.gr/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = andromeda:8080



O1 HOSTS File: ([2004/08/04 16:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [kds_i30_i40] C:\Program Files\Kodak\Document Imaging\KDSEvents.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Norton Ghost 14.0] C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bis.com.gr
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\peggy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\peggy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{917ebdbd-6ad6-11de-92e1-000ffe2a78db}\Shell - "" = Autorun
O33 - MountPoints2\{917ebdbd-6ad6-11de-92e1-000ffe2a78db}\Shell\AutoRun\command - "" = Pstart.exe
O33 - MountPoints2\{917ebdbd-6ad6-11de-92e1-000ffe2a78db}\Shell\dismount\command - "" = TrueCrypt\TrueCrypt.exe /q /d
O33 - MountPoints2\{917ebdbd-6ad6-11de-92e1-000ffe2a78db}\Shell\open\command - "" = TrueCrypt\TrueCrypt.exe /e /m rm
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/18 09:57:22 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\peggy\Desktop\OTL.exe
[2010/08/17 13:39:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\peggy\Recent
[2010/08/17 13:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\peggy\Application Data\SUPERAntiSpyware.com
[2010/08/17 13:07:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/08/17 13:06:54 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/08/16 09:07:10 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\peggy\Desktop\mbam-setup-1.46.exe
[2010/07/28 11:10:09 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/07/28 10:55:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/19 11:34:56 | 000,764,928 | ---- | M] () -- C:\WINDOWS\System32\drivers\oyjquw.sys
[2010/08/19 11:24:28 | 000,556,480 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/19 11:24:28 | 000,466,152 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/19 11:24:28 | 000,079,594 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/19 11:21:40 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/19 11:20:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/19 11:19:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/19 11:19:29 | 1064,833,024 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/19 11:12:23 | 001,930,896 | -H-- | M] () -- C:\Documents and Settings\peggy\Local Settings\Application Data\IconCache.db
[2010/08/19 09:37:11 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\peggy\ntuser.ini
[2010/08/19 09:37:10 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\peggy\NTUSER.DAT
[2010/08/19 09:24:41 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At90.job
[2010/08/19 09:24:41 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At86.job
[2010/08/19 09:24:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At91.job
[2010/08/19 09:24:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At89.job
[2010/08/19 09:24:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At87.job
[2010/08/19 09:24:41 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At88.job
[2010/08/19 09:24:40 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At56.job
[2010/08/19 09:24:40 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At55.job
[2010/08/19 09:24:40 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At54.job
[2010/08/19 09:24:40 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/08/19 09:24:40 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At57.job
[2010/08/19 09:24:40 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At53.job
[2010/08/19 09:24:40 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/08/19 09:24:39 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/08/19 09:24:39 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At189.job
[2010/08/19 09:24:39 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At188.job
[2010/08/19 09:24:39 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2010/08/19 09:24:39 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2010/08/19 09:24:39 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2010/08/19 09:24:39 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/08/19 09:24:39 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At187.job
[2010/08/19 09:24:39 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2010/08/19 09:24:39 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2010/08/19 09:24:39 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/08/19 09:24:39 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At186.job
[2010/08/19 09:24:39 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/08/19 09:24:39 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At185.job
[2010/08/19 09:24:39 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At184.job
[2010/08/19 09:24:38 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At161.job
[2010/08/19 09:24:38 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At164.job
[2010/08/19 09:24:38 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At160.job
[2010/08/19 09:24:38 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At159.job
[2010/08/19 09:24:38 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At151.job
[2010/08/19 09:24:38 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At163.job
[2010/08/19 09:24:38 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At162.job
[2010/08/19 09:24:38 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At150.job
[2010/08/19 09:24:37 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At124.job
[2010/08/19 09:24:37 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At148.job
[2010/08/19 09:24:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At149.job
[2010/08/19 09:24:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At127.job
[2010/08/19 09:24:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At125.job
[2010/08/19 09:24:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At147.job
[2010/08/19 09:24:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At128.job
[2010/08/19 09:24:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At126.job
[2010/08/19 09:24:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At123.job
[2010/08/19 09:24:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At122.job
[2010/08/19 09:24:36 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/08/19 09:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At207.job
[2010/08/19 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At76.job
[2010/08/19 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At183.job
[2010/08/19 09:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At77.job
[2010/08/19 09:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/08/19 09:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At112.job
[2010/08/19 09:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At111.job
[2010/08/19 08:06:15 | 000,000,447 | ---- | M] () -- C:\WINDOWS\brwmark.ini
[2010/08/19 08:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At110.job
[2010/08/19 08:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At52.job
[2010/08/19 08:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At206.job
[2010/08/19 08:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At182.job
[2010/08/19 08:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/08/19 08:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At146.job
[2010/08/19 08:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At145.job
[2010/08/19 08:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At75.job
[2010/08/19 07:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At73.job
[2010/08/19 07:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At51.job
[2010/08/19 07:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At204.job
[2010/08/19 07:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/08/19 07:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At181.job
[2010/08/19 07:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At144.job
[2010/08/19 07:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At205.job
[2010/08/19 07:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At109.job
[2010/08/19 07:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At108.job
[2010/08/19 07:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At74.job
[2010/08/19 07:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/08/19 07:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At180.job
[2010/08/19 06:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/08/19 06:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At143.job
[2010/08/19 06:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At142.job
[2010/08/19 06:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At107.job
[2010/08/19 06:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At72.job
[2010/08/19 06:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At50.job
[2010/08/19 06:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At203.job
[2010/08/19 06:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At179.job
[2010/08/19 06:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At49.job
[2010/08/19 05:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At106.job
[2010/08/19 05:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At201.job
[2010/08/19 05:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/08/19 05:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At141.job
[2010/08/19 05:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At70.job
[2010/08/19 05:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At178.job
[2010/08/19 05:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/08/19 05:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At71.job
[2010/08/19 05:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/08/19 05:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At202.job
[2010/08/19 05:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At177.job
[2010/08/19 04:00:36 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At200.job
[2010/08/19 04:00:36 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At140.job
[2010/08/19 04:00:36 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/08/19 04:00:36 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/08/19 04:00:36 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At69.job
[2010/08/19 04:00:36 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/08/19 04:00:36 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At139.job
[2010/08/19 04:00:36 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At105.job
[2010/08/19 04:00:36 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At104.job
[2010/08/19 04:00:36 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At176.job
[2010/08/19 03:00:08 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At68.job
[2010/08/19 03:00:08 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/08/19 03:00:08 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At138.job
[2010/08/19 03:00:08 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At67.job
[2010/08/19 03:00:08 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At199.job
[2010/08/19 03:00:08 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At175.job
[2010/08/19 03:00:08 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/08/19 03:00:08 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At198.job
[2010/08/19 03:00:08 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At174.job
[2010/08/19 03:00:08 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At103.job
[2010/08/19 02:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/08/19 02:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/08/19 02:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At137.job
[2010/08/19 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/08/19 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At173.job
[2010/08/19 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At102.job
[2010/08/19 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At101.job
[2010/08/19 02:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At66.job
[2010/08/19 02:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At197.job
[2010/08/19 02:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At136.job
[2010/08/19 02:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/08/19 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At65.job
[2010/08/19 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At64.job
[2010/08/19 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/08/19 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At195.job
[2010/08/19 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At172.job
[2010/08/19 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At135.job
[2010/08/19 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/08/19 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At196.job
[2010/08/19 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At100.job
[2010/08/19 01:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At171.job
[2010/08/19 00:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At170.job
[2010/08/19 00:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/08/19 00:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At98.job
[2010/08/19 00:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At63.job
[2010/08/19 00:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/08/19 00:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At194.job
[2010/08/19 00:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At133.job
[2010/08/19 00:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At99.job
[2010/08/19 00:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/08/19 00:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At134.job
[2010/08/19 00:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/08/18 23:00:14 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At97.job
[2010/08/18 23:00:14 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/08/18 23:00:14 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At169.job
[2010/08/18 23:00:14 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At132.job
[2010/08/18 23:00:14 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At61.job
[2010/08/18 23:00:14 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At193.job
[2010/08/18 23:00:14 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/08/18 23:00:14 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At168.job
[2010/08/18 23:00:14 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At62.job
[2010/08/18 22:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At96.job
[2010/08/18 22:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At95.job
[2010/08/18 22:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At60.job
[2010/08/18 22:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/08/18 22:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At192.job
[2010/08/18 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/08/18 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/08/18 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At131.job
[2010/08/18 22:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At167.job
[2010/08/18 22:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/08/18 22:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At191.job
[2010/08/18 22:00:00 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\ADT.job
[2010/08/18 21:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/08/18 21:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At190.job
[2010/08/18 21:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/08/18 21:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At166.job
[2010/08/18 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At94.job
[2010/08/18 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At59.job
[2010/08/18 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At165.job
[2010/08/18 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At130.job
[2010/08/18 21:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At129.job
[2010/08/18 20:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At93.job
[2010/08/18 20:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At92.job
[2010/08/18 20:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At58.job
[2010/08/18 10:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At153.job
[2010/08/18 10:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At156.job
[2010/08/18 10:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At78.job
[2010/08/18 10:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At152.job
[2010/08/18 10:00:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At113.job
[2010/08/18 09:41:55 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\peggy\Desktop\OTL.exe
[2010/08/18 09:40:44 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\peggy\Desktop\tlq00bdh.exe
[2010/08/18 09:22:23 | 000,525,312 | ---- | M] () -- C:\Documents and Settings\peggy\My Documents\BIS.pst
[2010/08/18 09:21:59 | 000,000,098 | ---- | M] () -- C:\WINDOWS\brmx2001.ini
[2010/08/17 13:35:29 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At80.job
[2010/08/17 13:35:29 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At82.job
[2010/08/17 13:35:29 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At79.job
[2010/08/17 13:35:29 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At81.job
[2010/08/17 13:35:28 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/08/17 13:35:28 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/08/17 13:35:27 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/08/17 13:35:25 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At155.job
[2010/08/17 13:35:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At154.job
[2010/08/17 13:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At115.job
[2010/08/17 13:35:24 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\At114.job
[2010/08/17 13:35:24 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At118.job
[2010/08/17 13:35:24 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At117.job
[2010/08/17 13:35:24 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At116.job
[2010/08/17 13:26:08 | 000,000,868 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/17 13:06:56 | 000,001,683 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/08/16 10:15:06 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\peggy\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2010/08/16 09:07:37 | 000,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/16 09:07:20 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\peggy\Desktop\mbam-setup-1.46.exe
[2010/08/12 12:17:27 | 000,002,513 | ---- | M] () -- C:\Documents and Settings\peggy\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
[2010/07/29 12:02:23 | 000,167,424 | ---- | M] () -- C:\Documents and Settings\peggy\Desktop\ΝΕΟ ΕΡΩΤΗΜΑΤΟΛΟΓΙΟ ΑΞΙΟΛΟΓΗΣΗΣ ΠΡΟΜΗΘΕΥΤΩΝ.doc
[2010/07/28 11:11:12 | 000,046,716 | ---- | M] () -- C:\Documents and Settings\peggy\Desktop\cc_20100728_111101.reg
[2010/07/28 11:10:11 | 000,001,553 | ---- | M] () -- C:\Documents and Settings\peggy\Desktop\CCleaner.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/19 11:19:29 | 1064,833,024 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/18 09:57:18 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\peggy\Desktop\tlq00bdh.exe
[2010/08/17 13:06:56 | 000,001,683 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/08/05 11:53:28 | 000,764,928 | ---- | C] () -- C:\WINDOWS\System32\drivers\oyjquw.sys
[2010/08/05 11:22:57 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\bawuho.dat
[2010/07/29 10:25:00 | 000,167,424 | ---- | C] () -- C:\Documents and Settings\peggy\Desktop\ΝΕΟ ΕΡΩΤΗΜΑΤΟΛΟΓΙΟ ΑΞΙΟΛΟΓΗΣΗΣ ΠΡΟΜΗΘΕΥΤΩΝ.doc
[2010/07/28 11:11:06 | 000,046,716 | ---- | C] () -- C:\Documents and Settings\peggy\Desktop\cc_20100728_111101.reg
[2010/07/28 11:10:11 | 000,001,553 | ---- | C] () -- C:\Documents and Settings\peggy\Desktop\CCleaner.lnk
[2010/07/28 08:04:47 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At207.job
[2010/07/28 07:24:28 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At206.job
[2010/07/28 06:44:06 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At205.job
[2010/07/28 06:03:47 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At204.job
[2010/07/28 05:23:27 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At203.job
[2010/07/28 04:43:08 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At202.job
[2010/07/28 04:02:48 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At201.job
[2010/07/28 03:22:29 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At200.job
[2010/07/28 02:42:09 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At199.job
[2010/07/28 02:01:49 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At198.job
[2010/07/28 01:21:27 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At197.job
[2010/07/28 00:41:04 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At196.job
[2010/07/28 00:00:45 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At195.job
[2010/07/27 23:20:14 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At194.job
[2010/07/27 22:39:55 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At193.job
[2010/07/27 21:59:35 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At192.job
[2010/07/27 21:19:15 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At191.job
[2010/07/27 20:38:56 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At190.job
[2010/07/27 19:58:36 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At189.job
[2010/07/27 19:18:17 | 000,000,352 | ---- | C] () -- C:\WINDOWS\tasks\At188.job
[2010/07/27 18:37:57 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At187.job
[2010/07/27 17:57:38 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At186.job
[2010/07/27 17:17:16 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At185.job
[2010/07/27 16:34:38 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At184.job
[2009/10/09 13:12:20 | 000,215,144 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2009/10/09 13:09:48 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2008/12/08 12:11:40 | 000,000,059 | ---- | C] () -- C:\WINDOWS\setscan.ini
[2008/12/08 12:11:39 | 000,004,553 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2008/06/05 15:08:39 | 000,000,331 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2008/06/05 15:08:38 | 000,215,552 | ---- | C] () -- C:\WINDOWS\System32\W4W48T.DLL
[2008/06/05 15:08:38 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\W4W19T.DLL
[2008/06/05 15:08:38 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\XCONV32.DLL
[2008/06/05 15:08:38 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\W4W108T.DLL
[2008/06/05 15:08:37 | 000,103,936 | ---- | C] () -- C:\WINDOWS\System32\W4W01T.DLL
[2008/06/05 15:08:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\G4G521T.DLL
[2008/06/05 15:08:35 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\G4G610T.DLL
[2008/06/05 15:08:35 | 000,186,880 | ---- | C] () -- C:\WINDOWS\System32\G4G615T.DLL
[2008/06/05 15:08:35 | 000,182,272 | ---- | C] () -- C:\WINDOWS\System32\G4G606T.DLL
[2008/06/05 15:08:35 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\G4G521F.DLL
[2008/06/05 15:08:35 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\G4G502F.DLL
[2008/06/05 15:08:33 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\XFILEXR.DLL
[2008/05/30 13:06:33 | 001,701,888 | ---- | C] () -- C:\WINDOWS\System32\kdssti.dll
[2008/05/28 14:04:50 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\nmocod.dll
[2008/05/28 14:02:19 | 000,000,087 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2008/02/20 14:13:23 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\peggy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/12 15:05:37 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/12/12 10:59:37 | 000,049,152 | ---- | C] () -- C:\WINDOWS\StiRegstEng.dll
[2007/12/12 10:56:52 | 000,000,099 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/12/12 10:55:04 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CDE P34903590EDFNSCHPET.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/06 17:01:18 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_1450.ini
[2006/12/06 17:00:54 | 000,000,098 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2006/12/06 17:00:40 | 000,000,447 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2006/12/06 17:00:38 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2006/12/06 17:00:37 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/10/26 15:44:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/17 14:30:02 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/02/09 14:29:54 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2006/01/27 11:57:49 | 000,000,041 | ---- | C] () -- C:\WINDOWS\TImageListHandler.ini
[2006/01/27 11:55:03 | 000,000,044 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2006/01/27 11:43:32 | 000,592,384 | R--- | C] () -- C:\WINDOWS\System32\XpSecMaj.dll
[2006/01/27 11:43:32 | 000,244,984 | R--- | C] () -- C:\WINDOWS\System32\TUTIL32.DLL
[2006/01/27 11:43:32 | 000,121,856 | R--- | C] () -- C:\WINDOWS\System32\VIDEOLAB.DLL
[2006/01/27 11:43:32 | 000,108,032 | R--- | C] () -- C:\WINDOWS\System32\SH33W32.DLL
[2006/01/27 11:43:32 | 000,066,896 | R--- | C] () -- C:\WINDOWS\System32\VIDLAB16.DLL
[2006/01/27 11:43:31 | 000,435,200 | R--- | C] () -- C:\WINDOWS\System32\ILFILT32.DLL
[2006/01/27 11:43:31 | 000,307,200 | R--- | C] () -- C:\WINDOWS\System32\I3TIF32.DLL
[2006/01/27 11:43:31 | 000,229,376 | R--- | C] () -- C:\WINDOWS\System32\I3SPEC32.DLL
[2006/01/27 11:43:31 | 000,012,288 | R--- | C] () -- C:\WINDOWS\System32\IMPBORL.DLL
[2006/01/27 11:43:30 | 000,430,080 | R--- | C] () -- C:\WINDOWS\System32\CRDE96V3.DLL
[2006/01/27 11:43:30 | 000,370,688 | R--- | C] () -- C:\WINDOWS\System32\HA311W32.DLL
[2006/01/27 11:43:30 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\I3DXF32.DLL
[2006/01/23 19:32:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/23 19:28:28 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/01/23 19:28:28 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/01/23 19:28:28 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/01/23 19:28:28 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/01/23 19:28:28 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/01/23 19:28:28 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/01/23 19:26:43 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2006/01/23 18:52:04 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/01/23 09:37:13 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/08/18 15:52:23 | 000,057,421 | ---- | M] () -- C:\cclog.txt
[2007/01/28 12:36:29 | 039,567,422 | ---- | M] () -- C:\draft_copy_to print.pdf
[2007/03/15 10:54:27 | 001,007,972 | ---- | M] (Γενική Γραμματεία Πληροφοριακών Συστημάτων ) -- C:\FMYsetup.exe
[2010/08/19 11:19:29 | 1064,833,024 | -HS- | M] () -- C:\hiberfil.sys
[2006/01/23 19:28:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2006/01/23 19:28:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 11:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 11:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/08/19 11:19:27 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
[2006/12/06 13:45:29 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET
[2009/11/23 09:05:47 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX

< %systemroot%\Fonts\*.com >
[2006/04/19 20:21:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/07/02 22:37:10 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/19 20:21:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/07/02 22:37:12 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/09 16:32:58 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2001/12/13 01:01:00 | 000,027,836 | ---- | M] (Brother Industries ,Ltd ) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\BRPP2KA.DLL
[2006/10/14 16:43:18 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/02/09 14:29:52 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
[2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2007/03/22 20:25:42 | 000,677,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\PrintFilterPipelineSvc.exe
[2002/04/30 18:25:26 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/09 16:20:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 16:20:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 16:20:10 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2004/08/09 16:34:14 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-07-16 05:15:36
< End of report >

OTL Extras logfile created on: 19/8/2010 11:31:49 πμ - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\peggy\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000408 | Country: Greece | Language: ELL | Date Format: d/M/yyyy

1.015,00 Mb Total Physical Memory | 478,00 Mb Available Physical Memory | 47,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 76,00% Paging File free
Paging file location(s): C:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 60,99 Gb Free Space | 81,84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SECRETERIAT_NEW
Current User Name: Stavroula
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"5296:TCP" = 5296:TCP:*:Enabled:kzppebuq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"\\Thiseas\THISEAS\BIS\Accounting\kef4\KEF32.EXE" = \\Thiseas\THISEAS\BIS\Accounting\kef4\KEF32.EXE:*:Enabled:KEF32.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{314F6D08-A8B7-11D8-8446-0050BA1D384D}" = EPSON Image Clip Palette
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39D03604-22DA-48A4-A8EB-E9691C1F9556}" = Xerox Walk-Up Printing Driver 2.0
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = EPSON Event Manager
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs
"{67EDD823-135A-4D59-87BD-950616D6E857}" = EPSON Copy Utility 3
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B0255743-165B-4BD5-8DA8-37DFB9930014}" = Norton Ghost
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B83E0346-D2D0-11D5-A9AE-00105AA9E047}" = U.S. Robotics ControlCenter
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = PhoneTools
"{E86BC406-944E-41F6-ADE6-2C136734C96B}" = EPSON File Manager
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FB8A4E30-9915-4814-ADF9-42E00D9FDC3D}" = Symantec Endpoint Protection
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"BDE Installation program" = BDE Installation program
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"EntraPass Special Edition" = EntraPass Special Edition
"EPSON Scanner" = EPSON Scan
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"InstallShield_{64A77F14-0E08-4A97-A859-E93CFF428756}" = Broadcom Management Programs
"Kodak i30/i40 Scanner" = Kodak i30/i40 Scanner
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Perf3490P_3590P User's Guide" = Perf3490P_3590P User's Guide
"Software Setup" = Software Setup
"Uninstall Presto! BizCard 4.1 Eng" = Presto! BizCard 4.1 Eng
"USRUSB" = U.S. Robotics 56K Faxmodem USB
"WangImgV1" = Imaging for Windows® Professional Edition
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Οριστική Δήλωση ΦΜΥ_is1" = Οριστική Δήλωση ΦΜΥ v1
"Συγκεντρωτικές καταστάσεις Πελατών-Προμηθευτών Έ~B5A463BE_is1" = Συγκεντρωτικές καταστάσεις Πελατών-Προμηθευτών Έκδοση 2007 v1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/8/2010 2:37:11 μμ | Computer Name = SECRETERIAT_NEW | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 17/8/2010 10:37:11 μμ | Computer Name = SECRETERIAT_NEW | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 18/8/2010 11:30:53 πμ | Computer Name = SECRETERIAT_NEW | Source = Norton Ghost | ID = 100
Description = Error EC8F1C50: Cannot create file backup for job: My Documents Backup.
Error E7D10017: Unable to delete '//node2/server_storage_1/Norton Backups/Secretariat
New PC/File Backup Data/fbfFiles_9ab/1ca4b50edc9ab5a.fbf'. Error E7D10016: Unable
to set attributes on '//node2/server_storage_1/Norton Backups/Secretariat New PC/File
Backup Data/fbfFiles_9ab/1ca4b50edc9ab5a.fbf'. Error EBAB03F1: Access is denied.
Details:
0xE7D10017 Source: Norton Ghost

Error - 19/8/2010 2:22:43 πμ | Computer Name = SECRETERIAT_NEW | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\d68263.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 19/8/2010 2:23:08 πμ | Computer Name = SECRETERIAT_NEW | Source = MsiInstaller | ID = 1008
Description = The installation of C:\WINDOWS\Installer\d68263.msi is not permitted
due to an error in software restriction policy processing. The object cannot be
trusted.

Error - 19/8/2010 2:39:57 πμ | Computer Name = SECRETERIAT_NEW | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 19/8/2010 2:40:13 πμ | Computer Name = SECRETERIAT_NEW | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 19/8/2010 4:20:08 πμ | Computer Name = SECRETERIAT_NEW | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 19/8/2010 4:20:31 πμ | Computer Name = SECRETERIAT_NEW | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 19/8/2010 4:21:15 πμ | Computer Name = SECRETERIAT_NEW | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ System Events ]
Error - 19/8/2010 2:40:14 πμ | Computer Name = SECRETERIAT_NEW | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 19/8/2010 2:40:15 πμ | Computer Name = SECRETERIAT_NEW | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service LiveUpdate
with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}

Error - 19/8/2010 2:40:34 πμ | Computer Name = SECRETERIAT_NEW | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 19/8/2010 2:41:23 πμ | Computer Name = SECRETERIAT_NEW | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl Fips i8042prt intelppm SASDIFSV SASKUTIL SRTSP SRTSPX SYMTDI

Error - 19/8/2010 4:11:35 πμ | Computer Name = SECRETERIAT_NEW | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 19/8/2010 4:20:07 πμ | Computer Name = SECRETERIAT_NEW | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain BIS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 19/8/2010 4:21:02 πμ | Computer Name = SECRETERIAT_NEW | Source = Print | ID = 33
Description = The PrintQueue Container could not be found because the DNS Domain
name could not be retrieved. Error: 54b

Error - 19/8/2010 4:21:02 πμ | Computer Name = SECRETERIAT_NEW | Source = Print | ID = 33
Description = The PrintQueue Container could not be found because the DNS Domain
name could not be retrieved. Error: 54b

Error - 19/8/2010 4:23:12 πμ | Computer Name = SECRETERIAT_NEW | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 19/8/2010 4:30:06 πμ | Computer Name = SECRETERIAT_NEW | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain BIS due to the following:
%%1722. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.


< End of report >


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 26 August 2010 - 06:21 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 jimmakos7

jimmakos7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 27 August 2010 - 08:42 AM

Hello Ele,

thanks for the reply. No, I haven't fixed my problem since my last post.

I did the steps you asked from me but I note here that I had to run GMER in Safe Mode and with Devices Checkbox unchecked to have it complete its scan. Otherwise I was getting restarts (and had to check the disk again because it wouldn't even boot in safe mode).

I paste now the DDS log. I have also attached the gmer log as ark.txt and the Attact.txt from DDS :

DDS Log :


DDS (Ver_10-03-17.01) - NTFSx86
Run by stavroula at 9:42:10,09 on ˜¨ 27/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1015.534 [GMT 3:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\peggy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.in.gr/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = andromeda:8080
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [<NO NAME>]
mRun: [kds_i30_i40] c:\program files\kodak\document imaging\KDSEvents.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instan~1.lnk - c:\program files\u.s. robotics\controlcenter\Reminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-16 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-16 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-11-16 2177464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-10 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100826.023\NAVENG.SYS [2010-8-27 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100826.023\NAVEX15.SYS [2010-8-27 1362608]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1562096]
R3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2008-5-28 902860]
S1 KdsMm;KdsMm;\??\c:\windows\system32\drivers\kdsmm.sys --> c:\windows\system32\drivers\kdsmm.sys [?]
S2 kwkpwtvg;Helper Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
S3 CyUsb;Buic scanner USB2 Driver;c:\windows\system32\drivers\CyUsb.sys [2006-10-18 31104]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-12-8 10880]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-08-17 10:07:02 0 d-----w- c:\docume~1\peggy\applic~1\SUPERAntiSpyware.com
2010-08-17 10:07:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-17 10:06:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-05 08:53:28 764928 ----a-w- c:\windows\system32\drivers\oyjquw.sys
2010-07-28 08:10:09 0 d-----w- c:\program files\CCleaner
2010-07-28 07:55:42 0 d-----w- c:\program files\Defraggler

==================== Find3M ====================


============= FINISH: 9:42:29,62 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 27 August 2010 - 03:17 PM

Hello! smile.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



Elle


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 30 August 2010 - 01:18 PM

Are you still with us?



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 jimmakos7

jimmakos7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 31 August 2010 - 02:54 AM

Hi Elle,

Yes , ofcourse. I am waiting for your reply. Is there something else you want me to try on the PC?

Dimitris

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 01 September 2010 - 04:45 PM

Hello,



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




If you decide to continue



We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 04 September 2010 - 03:18 PM

Do you still need help?


Have you resolved the problem? Please let me know.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 jimmakos7

jimmakos7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 September 2010 - 03:20 AM

Hi Elle,

sorry for the late response. I formatted the PC. I had backup of everything I wanted from this PC so it is quite alright now.

One last thing, can you point me to tools that can protect me from that kind of threats in the future? Is there a thread you can guide me to?

Thanks very much for your help.

Dimitris

#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:16 PM

Posted 12 September 2010 - 05:06 AM

Hello,



The main 2 most important security programs you need to have are:
  1. An Anti-Virus program


    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.




  2. A Firewall Program




    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
    I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Zonealarm
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.




Other security tips:





Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, I would recommend the download and installation of some or all of the following programs, and the updating of them regularly

Install SUPERAntiSpyware - Install and download SUPERAntiSpyware .
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* Information on installing & using this product can be found here:
* Click here for more info -->SUPERAntiSpyware official site

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:16 AM

Posted 15 September 2010 - 08:09 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users