Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with spdep.exe and wareg51.exe


  • This topic is locked This topic is locked
64 replies to this topic

#1 Althaia

Althaia

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 22 August 2010 - 10:01 AM

Hi, forum newbie here.

A friend borrowed my laptop yesterday, and when I got it back today, I was surprised to get an error message while I was using Photoshop. I was trying to save some files, but I got an error message saying that my system did not have enough memory to complete the said task. I found it strange, so I decided to just close the opened file and just redo the minor picture editing that I was doing. To my surprise, I couldn't close the file, and I got the same error message.

I then ran task manager and closed Photoshop from there. Then I saw lot of copies of spdep.exe and a single process of wareg.exe. I closed them through task manager, then looked for information about the file using a desktop. I became really worried when I saw a post that says that spdep was a fairly new malware.

So here I am. I was able to run DDS.scr, but I was having problems with gmer. First, the main gmer screen just "ran" it's thing and closed. I restarted it and did all that was suggested in the preparation guide thread. When I got to the point wherein I clicked scan, after a couple of minutes, the laptop restarted. I haven't done anything since.

As instructed by the preparation guide, I'm posting the DDS report and attaching the attach.txt file.

Thank you in advance for the help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lei at 22:20:46.85 on Sun 08/22/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.893.535 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HotKey_Driver\HotKeyDriver.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\wareg51.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\Spdep.exe
C:\DOCUME~1\Lei\LOCALS~1\Temp\wareg51.exe
C:\WINDOWS\system32\taskmgr.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = proxy7.upd.edu.ph:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SkinClock] c:\program files\free desktop clock\DesktopClock.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [BisonHK] c:\windows\bisoncam\BisonHK.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRunOnce: [InstallShieldSetup] c:\progra~1\instal~1\{c823e~1\setup.exe -rebootc:\progra~1\instal~1\{c823e~1\reboot.ini -l0x0009
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\lei\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotkey~1.lnk - c:\program files\hotkey_driver\HotKeyDriver.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\regist~1.lnk - c:\program files\onone software\mask pro 4.1\<FILE_REGISTRATION_APP>
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-22 102448]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-7-24 77968]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100817.008\NAVENG.SYS [2010-8-18 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100817.008\NAVEX15.SYS [2010-8-18 1362608]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-7-31 1251720]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-10-6 288000]

=============== Created Last 30 ================

2010-08-22 19:54:51 0 d-----w- c:\program files\PhotomatixPro3
2010-08-22 19:38:34 0 d-----w- c:\program files\Topaz Labs
2010-08-22 19:28:23 57344 ----a-w- c:\windows\system32\ASTS1a78.rra
2010-08-22 18:53:52 0 d-----w- c:\program files\common files\Macrovision Shared
2010-08-17 14:57:31 0 d-----w- c:\docume~1\lei\applic~1\Mask Pro 4.0
2010-08-17 14:03:03 57344 ----a-w- c:\windows\system32\ASTSRV.EXE
2010-08-17 14:03:02 0 d-----w- c:\docume~1\lei\applic~1\onOne Software
2010-08-17 14:02:54 0 d-----w- c:\docume~1\alluse~1\applic~1\onOne Software
2010-08-17 14:02:53 0 d-----w- c:\program files\onOne Software
2010-08-17 13:50:41 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-08-17 13:50:41 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-08-17 13:50:41 120568 ------w- c:\windows\system32\pxcpyi64.exe
2010-08-17 13:50:41 118256 ------w- c:\windows\system32\pxinsi64.exe
2010-08-17 13:50:40 129520 ------w- c:\windows\system32\pxafs.dll
2010-08-15 03:53:21 0 d-----w- c:\program files\Imagenomic
2010-08-15 02:53:03 0 d-----w- c:\docume~1\lei\applic~1\HDRsoft
2010-08-13 07:06:22 0 d-----w- c:\docume~1\lei\applic~1\Foxit Software
2010-08-13 01:06:35 0 d-----w- c:\program files\Foxit Software
2010-08-13 00:46:14 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-08-13 00:46:09 0 d-----w- c:\program files\Nitro PDF
2010-08-09 03:05:44 0 d-----w- c:\docume~1\lei\applic~1\HpUpdate
2010-08-05 16:33:19 0 d-----w- C:\YouTubeDownload
2010-08-05 16:33:18 0 d-----w- C:\ConverterOutput
2010-08-05 16:33:07 6144 ----a-w- c:\windows\system32\ff_acm.acm
2010-08-05 16:33:07 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-08-05 16:33:07 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2010-08-05 16:33:07 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-08-05 16:33:05 372736 ----a-w- c:\windows\system32\xvid.ax
2010-08-05 16:33:04 0 d-----w- c:\program files\Cucusoft
2010-08-05 16:19:41 0 d-----w- c:\program files\Free YouTube Downloader Converter
2010-08-02 13:01:46 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-08-02 06:46:41 7168 --sha-w- c:\windows\Thumbs.db
2010-08-01 23:34:52 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2010-08-01 23:33:55 966656 ----a-r- c:\windows\system32\hpost_p02c.dll
2010-08-01 23:33:55 712704 ----a-r- c:\windows\system32\hposwia_p02c.dll
2010-08-01 23:33:55 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-08-01 23:33:55 315392 ----a-r- c:\windows\system32\hposc_p02a.dll
2010-08-01 23:33:55 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-08-01 23:30:02 0 d-----w- c:\program files\Coupons
2010-08-01 23:29:09 0 d-----w- c:\program files\HP Photo Creations
2010-08-01 23:29:09 0 d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2010-08-01 23:23:24 0 d-----w- c:\program files\common files\HP
2010-08-01 23:07:31 601 ------w- c:\windows\hpomdl43.dat
2010-08-01 23:07:31 208130 ----a-w- c:\windows\hpoins43.dat
2010-08-01 21:41:52 43872 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-08-01 21:32:46 0 d-----w- c:\program files\common files\Adobe Systems Shared
2010-07-25 05:34:20 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2010-07-25 05:25:26 0 d-----w- c:\program files\Alcohol Soft
2010-07-25 05:21:46 697328 ----a-w- c:\windows\system32\drivers\sptd.sys

==================== Find3M ====================


============= FINISH: 22:21:23.82 ===============

Attached Files


Edited by Althaia, 22 August 2010 - 10:18 AM.


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 28 August 2010 - 10:40 PM

Hi Althaia
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.
Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista and Windows 7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.


Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 28 August 2010 - 10:58 PM

Hi maranatha. Thanks for helping me. Since it's been almost a week, maybe I should update you on the things that I did since posting.

1. I manually deleted the spdep.exe and wareg51.exe files by clearing the temporary files folder. The files haven't showed up in time times I've run task manager. Not sure if that did the trick.

2. I uninstalled Norton because I was pissed that it didn't "protect" me even if my AV definitions were up-to-date. I read through some of the threads here in bleeping computer and installed spybot, ad adware, and Malwarebytes. They were able to "fix" the computer up to a certain extent.

3. However, I found out that I cannot access some websites at all such as: Microsoft, Kaspersky, McAffee and Symantec, whether from Firefox or from Internet Explorer.

So yeah, I don't know what's going on. I'm going to attach the combofix log in a bit. smile.gif

ETA:

ComboFix 10-08-27.03 - Jan 2010 08/29/2010 12:03:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.127 [GMT 8:00]
Running from: c:\documents and settings\Jan 2010\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-28 15:06 . 2010-08-28 15:06 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\RenPy
2010-08-28 15:01 . 2010-08-28 15:02 -------- d-----w- c:\program files\RE Alistair++
2010-08-25 16:25 . 2010-08-25 16:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-25 16:21 . 2010-08-25 16:21 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 14:14 . 2010-08-25 14:17 -------- d-----w- c:\program files\PCPitstop
2010-08-25 09:44 . 2010-08-25 09:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-23 22:28 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-23 21:41 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-23 17:19 . 2010-08-23 17:19 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\Sunbelt Software
2010-08-23 14:50 . 2010-08-23 14:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-23 14:50 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-23 14:49 . 2010-08-23 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-23 14:49 . 2010-08-23 14:49 -------- d-----w- c:\program files\Lavasoft
2010-08-23 06:41 . 2010-08-25 10:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-23 06:41 . 2010-08-23 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-23 01:45 . 2010-08-23 05:59 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-19 11:29 . 2010-08-19 11:29 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
2010-08-16 22:21 . 2010-08-18 05:28 1351975692 ----a-w- c:\documents and settings\Jan 2010\Application Data\uTorrent\Adobe Photoshop CS5 Extended Edition.exe
2010-08-16 18:17 . 2010-08-16 18:17 137728 ----a-w- c:\documents and settings\Jan 2010\Application Data\uTorrent\Imagenomic Noiseware Professional Plugin 4.2\CORE10k.EXE
2010-08-16 09:05 . 2010-08-16 09:05 89831 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\Uninstall.exe
2010-08-16 09:04 . 2010-08-16 11:59 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Dropbox
2010-08-12 11:19 . 2010-08-12 11:19 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\PrimoPDF
2010-08-12 10:29 . 2009-12-21 01:42 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-08-12 10:29 . 2010-08-12 10:29 -------- d-----w- c:\program files\Nitro PDF
2010-08-04 03:18 . 2010-08-04 03:18 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcp71.dll
2010-08-04 03:18 . 2010-08-04 03:18 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\jmc.dll
2010-08-04 03:18 . 2010-08-04 03:18 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcr71.dll
2010-08-04 03:18 . 2010-08-04 03:18 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-sse.dll
2010-08-04 03:18 . 2010-08-04 03:18 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 09:43 . 2010-02-15 18:16 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-08-23 06:05 . 2008-09-18 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-23 05:46 . 2010-04-30 19:59 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\uTorrent
2010-08-23 01:42 . 2008-09-18 01:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-19 11:32 . 2010-07-12 04:43 -------- d-----w- c:\program files\Java
2010-08-19 11:30 . 2010-07-12 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 04:36 . 2010-07-29 02:37 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-16 18:58 . 2009-12-11 00:40 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\LimeWire
2010-08-16 18:03 . 2009-05-11 10:14 -------- d-----w- c:\program files\YouTube Downloader
2010-07-26 09:11 . 2010-06-11 09:19 25 ----a-w- c:\windows\popcinfot.dat
2010-07-26 07:43 . 2008-10-01 17:25 -------- d-----w- c:\program files\HP
2010-07-24 03:01 . 2010-07-24 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-12 04:45 . 2010-07-12 04:45 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcp71.dll
2010-07-12 04:45 . 2010-07-12 04:45 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\jmc.dll
2010-07-12 04:45 . 2010-07-12 04:45 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcr71.dll
2010-07-12 04:45 . 2010-07-12 04:45 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-sse.dll
2010-07-12 04:45 . 2010-07-12 04:45 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-d3d.dll
2010-07-12 04:44 . 2010-04-17 17:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 12:41 . 2010-07-04 12:41 -------- d-----w- c:\program files\Common Files\Adobe
2004-08-04 04:56 . 2004-08-04 04:56 4734976 --sha-r- c:\windows\system32\tzgdxgok.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_16.36.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-28 07:47 . 2010-08-28 07:47 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-10-01 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SlowDownCPU"=c:\windows\INF\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Jan 2010\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7245:TCP"= 7245:TCP:nnfsvg

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/24/2010 5:41 AM 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 PM 1355416]
S2 tehko;Boot Update;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 PM 14336]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [9/18/2008 9:16 AM 25088]
S3 snwbece;snwbece;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;\??\c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Lavasoft Kernexplorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
pdmglgaa
tehko
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15161&l=dis
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {64F12E9A-14D6-4EA1-97A1-5D4AE1C7EC89} = 210.4.2.61 202.78.97.41
FF - ProfilePath - c:\documents and settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 12:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\snwbece]
"ImagePath"="\??\c:\windows\system32\03.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tehko]
"ServiceDll"="c:\windows\system32\tzgdxgok.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2010-08-29 12:10:30
ComboFix-quarantined-files.txt 2010-08-29 04:10
ComboFix2.txt 2010-08-26 16:39

Pre-Run: 63,869,407,232 bytes free
Post-Run: 63,860,400,128 bytes free

- - End Of File - - B2A3F49DFB528ED8045F7AD3491378F0

Edited by Althaia, 28 August 2010 - 11:12 PM.


#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 29 August 2010 - 01:35 AM

Hi
OK a few things here.
First; You need an Anti Virus program, the ones you installed are not Anti Virus.
Second; Anti Virus applacations will not always catch everything all the time, a lot depends on the user also. If you take risks, visit risky sites and use risky applacations you will get infected, sooner or later.

Which brings me to my first point.

P2P software ( Limewire, BitTorrent, uTorrent, Vuse etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections. See here and here

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall any P2P programs you have on your system,

----------------------------------------------------------------------------------------------------
I'm guessing you did not buy Norton.
Because it is hard to remove from your system we need to do this.

Go here and run the Norton Removal Tool for the product version you have.

http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Now you need to download a Anti virus Program only download 1.
These are free.

Please Download and run only 1 AV

Anti-Virus
Avast
Avira
AVGFree

Download, Update and scan your computer with the AV. Quarantine/Delete anything it finds.

After doing the above, please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
Files::
c:\windows\system32\03.tmp
c:\windows\system32\tzgdxgok.dll
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tehko]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\snwbece]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7245:TCP"=-
Driver::
snwbece
DirLook::
c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}


Please post the Combofix log.

Thanks
maranatha

Edited by maranatha, 29 August 2010 - 01:38 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 29 August 2010 - 03:58 AM

Oh,

I thought I already uninstalled my p2p programs after reading the risks from one of the threads here. Apparently, it still shows up in the application data subfolder, and they're empty folders. Was it okay to delete the folders since they were empty anyway?

Also, I uninstalled Norton using that file downloaded from their site (also got informed of how to uninstall Norton through another thread here). smile.gif I only started having problems going to their site after I uninstalled Norton using the same file, and after having used spybot, ad adware and Malwarebytes.

I can only visit the Avira link. The other two, I can't, I'll update this post if Avira shows a log, as well as after I run Combofix.

Edited by Althaia, 29 August 2010 - 04:44 AM.


#6 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 29 August 2010 - 01:03 PM

Hi,

I installed Avira, updated it, and scanned before running combofix. I did two "runs" with it. In the first one, it detected one file and quarantined it. However, at some point after that, the scanning stopped, and the program exited. I did another run, then went out on some errands, and when I came back, the program exited again. I checked the logs but there were no traces of the two runs.

Then I ran combofix with the script as you directed. It asked me if I wanted to update. I figured that maybe I shouldn't, because otherwise, you would have told me to update. It didn't reboot the machine.

Here's the log:

ComboFix 10-08-28.01 - Jan 2010 08/30/2010 1:45.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.226 [GMT 8:00]
Running from: c:\documents and settings\Jan 2010\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jan 2010\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-29 09:54 . 2010-08-29 17:40 -------- d-----w- c:\windows\system32\NtmsData
2010-08-29 09:53 . 2010-08-29 09:53 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Avira
2010-08-29 09:38 . 2010-03-01 02:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-29 09:38 . 2010-02-16 06:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-29 09:38 . 2009-05-11 04:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-29 09:38 . 2009-05-11 04:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-29 09:38 . 2010-08-29 09:38 -------- d-----w- c:\program files\Avira
2010-08-29 09:38 . 2010-08-29 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-28 15:06 . 2010-08-29 16:14 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\RenPy
2010-08-28 15:01 . 2010-08-28 15:02 -------- d-----w- c:\program files\RE Alistair++
2010-08-25 16:25 . 2010-08-25 16:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-25 16:21 . 2010-08-25 16:21 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 14:14 . 2010-08-25 14:17 -------- d-----w- c:\program files\PCPitstop
2010-08-25 09:44 . 2010-08-25 09:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-23 22:28 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-23 21:41 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-23 17:19 . 2010-08-23 17:19 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\Sunbelt Software
2010-08-23 14:50 . 2010-08-23 14:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-23 14:50 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-23 14:49 . 2010-08-23 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-23 14:49 . 2010-08-23 14:49 -------- d-----w- c:\program files\Lavasoft
2010-08-23 06:41 . 2010-08-25 10:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-23 06:41 . 2010-08-23 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-23 01:45 . 2010-08-23 05:59 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-19 11:29 . 2010-08-19 11:29 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
2010-08-16 19:26 . 2010-08-16 19:27 -------- d-----w- c:\documents and settings\Jan 2010\topaz adjust
2010-08-16 18:57 . 2010-08-16 18:57 -------- d-----w- c:\documents and settings\Jan 2010\Adobe Photoshop Lightroom 2.5 Build 605155 Final + Serials
2010-08-16 18:06 . 2010-08-16 18:17 -------- d-----w- c:\documents and settings\Jan 2010\Imagenomic Noiseware Professional Plugin 4.2
2010-08-16 09:05 . 2010-08-16 09:05 89831 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\Uninstall.exe
2010-08-16 09:04 . 2010-08-16 11:59 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Dropbox
2010-08-12 11:19 . 2010-08-12 11:19 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\PrimoPDF
2010-08-12 10:29 . 2009-12-21 01:42 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-08-12 10:29 . 2010-08-12 10:29 -------- d-----w- c:\program files\Nitro PDF
2010-08-04 03:18 . 2010-08-04 03:18 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcp71.dll
2010-08-04 03:18 . 2010-08-04 03:18 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\jmc.dll
2010-08-04 03:18 . 2010-08-04 03:18 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcr71.dll
2010-08-04 03:18 . 2010-08-04 03:18 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-sse.dll
2010-08-04 03:18 . 2010-08-04 03:18 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 09:43 . 2010-02-15 18:16 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-08-23 06:05 . 2008-09-18 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-23 01:42 . 2008-09-18 01:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-19 11:32 . 2010-07-12 04:43 -------- d-----w- c:\program files\Java
2010-08-19 11:30 . 2010-07-12 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 04:36 . 2010-07-29 02:37 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-16 18:03 . 2009-05-11 10:14 -------- d-----w- c:\program files\YouTube Downloader
2010-07-26 09:11 . 2010-06-11 09:19 25 ----a-w- c:\windows\popcinfot.dat
2010-07-26 07:43 . 2008-10-01 17:25 -------- d-----w- c:\program files\HP
2010-07-24 03:01 . 2010-07-24 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-12 04:45 . 2010-07-12 04:45 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcp71.dll
2010-07-12 04:45 . 2010-07-12 04:45 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\jmc.dll
2010-07-12 04:45 . 2010-07-12 04:45 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcr71.dll
2010-07-12 04:45 . 2010-07-12 04:45 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-sse.dll
2010-07-12 04:45 . 2010-07-12 04:45 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-d3d.dll
2010-07-12 04:44 . 2010-04-17 17:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 12:41 . 2010-07-04 12:41 -------- d-----w- c:\program files\Common Files\Adobe
2004-08-04 04:56 . 2004-08-04 04:56 4734976 --sha-r- c:\windows\system32\tzgdxgok.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70} ----

2010-08-23 14:50 . 2010-08-23 14:50 90 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\instance.dat
2010-08-23 14:50 . 2010-08-23 17:19 496 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.dat
2010-08-23 14:50 . 2010-08-23 14:50 9 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.lan
2010-08-23 14:50 . 2010-08-23 14:50 5140 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.par
2010-08-23 14:50 . 2010-08-12 12:16 574219 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\mia.lib
2010-08-23 14:50 . 2010-08-12 12:16 24046035 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.res
2010-08-23 14:50 . 2010-08-12 12:15 1867264 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.msi
2010-08-23 14:50 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

---- Directory of c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050} ----

2010-08-19 11:29 . 2010-08-19 11:29 3584 ----a-w- c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}\1033.MST
2010-08-19 11:29 . 2010-08-19 11:29 11775488 ----a-w- c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}\J2SE Runtime Environment 5.0 Update 5.msi


((((((((((((((((((((((((((((( SnapShot@2010-08-26_16.36.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 16:02 . 2009-07-11 16:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-08-28 07:47 . 2010-08-28 07:47 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
+ 2010-08-29 09:38 . 2009-05-11 02:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-07-11 16:02 . 2009-07-11 16:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-08-29 09:37 . 2010-08-29 09:37 219648 c:\windows\Installer\58b8904.msi
+ 2009-07-11 16:02 . 2009-07-11 16:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-10-01 53248]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SlowDownCPU"=c:\windows\INF\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Jan 2010\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/24/2010 5:41 AM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/29/2010 5:38 PM 135336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 PM 1355416]
S2 tehko;Boot Update;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 12:56 PM 14336]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [9/18/2008 9:16 AM 25088]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;\??\c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - NTMSSVC
*NewlyCreated* - SWPRV
*NewlyCreated* - VSS
*Deregistered* - Lavasoft Kernexplorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
pdmglgaa
tehko
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15161&l=dis
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {64F12E9A-14D6-4EA1-97A1-5D4AE1C7EC89} = 210.4.2.61 202.78.97.41
FF - ProfilePath - c:\documents and settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 01:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tehko]
"ServiceDll"="c:\windows\system32\tzgdxgok.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3008)
c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2010-08-30 01:53:27
ComboFix-quarantined-files.txt 2010-08-29 17:53
ComboFix2.txt 2010-08-26 16:39

Pre-Run: 70,570,926,080 bytes free
Post-Run: 70,561,390,592 bytes free

- - End Of File - - EC3F604A1CB197C9954F55AAD5CD4413


#7 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 29 August 2010 - 01:41 PM

Hi
OK now lets do this again. Please let Combofix update if prompted.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::
NetSvc::
Files::
c:\windows\system32\tzgdxgok.dll
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tehko]
Driver::
pdmglgaa
tehko


Please post the Combofix log.

Thanks
maranatha

Edited by maranatha, 29 August 2010 - 01:43 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#8 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 29 August 2010 - 09:40 PM

Hi,

When I started up, Avira was detecting tzgdxgok.dll too, and was trying to quarantine it. Then, it shuts down in the process. Anyway, I ran combofix and updated it. When it restarted Windows, I got a bit concerned when it took so long to generate a log. I thought it stalled. I'm glad I was mistaken. Also, as the log was pulling up, I got a system message. I hesitated for about a minute, and then in just disappeared. I'm attaching the file. Here's the combofix log by the way:

EDIT:

Apparently, as I was typing this reply, there was an error of some sort. The taskbar changed colors from light blue-ish to gray, then back to light blue-ish. Then, I can't connect to the internet. I'm restarting the system to see if I can repost this. The system startup also seems to be a step or two slower.

EDIT again:

When I restarted, I clicked on the upload button here, and the same thing happened. I restarted again, then thought of uploading the image through imageshack. Same thing happened. I guess I'll just type what the entire message says:

Ad-Watch Live! Alert
Registry Change

The process handle .cfxxe is trying to make changes to the Startup Settings in the Registry.
[] Do not alert me to changes to this registry area by this process again

[Allow] [Block]

-----

Here's the combofix log:


ComboFix 10-08-28.02 - Jan 2010 08/30/2010 9:38.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.246 [GMT 8:00]
Running from: c:\documents and settings\Jan 2010\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jan 2010\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TEHKO
-------\Service_tehko


((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-29 09:54 . 2010-08-29 17:40 -------- d-----w- c:\windows\system32\NtmsData
2010-08-29 09:53 . 2010-08-29 09:53 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Avira
2010-08-29 09:38 . 2010-03-01 02:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-29 09:38 . 2010-02-16 06:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-29 09:38 . 2009-05-11 04:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-29 09:38 . 2009-05-11 04:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-29 09:38 . 2010-08-29 09:38 -------- d-----w- c:\program files\Avira
2010-08-29 09:38 . 2010-08-29 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-28 15:06 . 2010-08-29 16:14 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\RenPy
2010-08-28 15:01 . 2010-08-28 15:02 -------- d-----w- c:\program files\RE Alistair++
2010-08-25 16:25 . 2010-08-25 16:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-25 16:21 . 2010-08-25 16:21 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 14:30 . 2010-08-25 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-25 14:30 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 14:14 . 2010-08-25 14:17 -------- d-----w- c:\program files\PCPitstop
2010-08-25 09:44 . 2010-08-25 09:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-23 22:28 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-23 21:41 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-23 17:19 . 2010-08-23 17:19 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\Sunbelt Software
2010-08-23 14:50 . 2010-08-23 14:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-23 14:50 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-23 14:49 . 2010-08-23 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-23 14:49 . 2010-08-23 14:49 -------- d-----w- c:\program files\Lavasoft
2010-08-23 06:41 . 2010-08-25 10:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-23 06:41 . 2010-08-23 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-23 01:45 . 2010-08-23 05:59 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-19 11:29 . 2010-08-19 11:29 -------- d-----w- c:\documents and settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
2010-08-16 19:26 . 2010-08-16 19:27 -------- d-----w- c:\documents and settings\Jan 2010\topaz adjust
2010-08-16 18:57 . 2010-08-16 18:57 -------- d-----w- c:\documents and settings\Jan 2010\Adobe Photoshop Lightroom 2.5 Build 605155 Final + Serials
2010-08-16 18:06 . 2010-08-16 18:17 -------- d-----w- c:\documents and settings\Jan 2010\Imagenomic Noiseware Professional Plugin 4.2
2010-08-16 09:05 . 2010-08-16 09:05 89831 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\Uninstall.exe
2010-08-16 09:04 . 2010-08-16 11:59 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\Dropbox
2010-08-12 11:19 . 2010-08-12 11:19 -------- d-----w- c:\documents and settings\Jan 2010\Application Data\PrimoPDF
2010-08-12 10:29 . 2009-12-21 01:42 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-08-12 10:29 . 2010-08-12 10:29 -------- d-----w- c:\program files\Nitro PDF
2010-08-04 03:18 . 2010-08-04 03:18 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcp71.dll
2010-08-04 03:18 . 2010-08-04 03:18 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\jmc.dll
2010-08-04 03:18 . 2010-08-04 03:18 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6bc125a6-n\msvcr71.dll
2010-08-04 03:18 . 2010-08-04 03:18 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-sse.dll
2010-08-04 03:18 . 2010-08-04 03:18 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-359dbab7-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 09:43 . 2010-02-15 18:16 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-08-23 06:05 . 2008-09-18 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-23 01:42 . 2008-09-18 01:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-19 11:32 . 2010-07-12 04:43 -------- d-----w- c:\program files\Java
2010-08-19 11:30 . 2010-07-12 04:46 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 04:36 . 2010-07-29 02:37 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-08-16 18:03 . 2009-05-11 10:14 -------- d-----w- c:\program files\YouTube Downloader
2010-07-26 09:11 . 2010-06-11 09:19 25 ----a-w- c:\windows\popcinfot.dat
2010-07-26 07:43 . 2008-10-01 17:25 -------- d-----w- c:\program files\HP
2010-07-24 03:01 . 2010-07-24 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-12 04:45 . 2010-07-12 04:45 503808 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcp71.dll
2010-07-12 04:45 . 2010-07-12 04:45 499712 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\jmc.dll
2010-07-12 04:45 . 2010-07-12 04:45 348160 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7cb9405b-n\msvcr71.dll
2010-07-12 04:45 . 2010-07-12 04:45 61440 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-sse.dll
2010-07-12 04:45 . 2010-07-12 04:45 12800 ----a-w- c:\documents and settings\Jan 2010\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c996f14-n\decora-d3d.dll
2010-07-12 04:44 . 2010-04-17 17:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 12:41 . 2010-07-04 12:41 -------- d-----w- c:\program files\Common Files\Adobe
2004-08-04 04:56 . 2004-08-04 04:56 4734976 --sha-r- c:\windows\system32\tzgdxgok.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-26_16.36.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 16:02 . 2009-07-11 16:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-08-29 09:38 . 2009-05-11 02:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-07-11 16:02 . 2009-07-11 16:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 16:05 . 2009-07-11 16:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-08-29 09:37 . 2010-08-29 09:37 219648 c:\windows\Installer\58b8904.msi
+ 2009-07-11 16:02 . 2009-07-11 16:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 16:02 . 2009-07-11 16:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-10-01 53248]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SlowDownCPU"=c:\windows\INF\MSI\SlowDownCPU\SlowDownCPU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Jan 2010\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/24/2010 5:41 AM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/29/2010 5:38 PM 135336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 PM 1355416]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;"c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe" --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS --> c:\windows\system32\DRIVERS\LV532AV.SYS [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [9/18/2008 9:16 AM 25088]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;\??\c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys --> c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15161&l=dis
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Lavasoft Kernexplorer]
"ImagePath"="\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2612)
c:\documents and settings\Jan 2010\Application Data\Dropbox\bin\DropboxExt.13.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\VTTimer.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-30 09:55:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 01:54
ComboFix2.txt 2010-08-29 04:10
ComboFix3.txt 2010-08-30 01:35

Pre-Run: 70,515,355,648 bytes free
Post-Run: 70,420,811,776 bytes free

- - End Of File - - 7514A173DC5074BC0BFC1E0DA286D77A

Edited by Althaia, 29 August 2010 - 09:44 PM.


#9 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 29 August 2010 - 11:50 PM

Hi
OK lets see if we can delete this file manually.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\windows\system32\tzgdxgok.dll

After that, Reboot.

After the reboot go back and see if the file is gone or came back or if you could find it or delete it. Let me know.

Thanks
maranatha

Edited by maranatha, 29 August 2010 - 11:52 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#10 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 30 August 2010 - 02:45 AM

Hi,

I tried deleting it twice. First via "normal" mode, and the second via "safe" mode. I got the same results: Cannot delete tzgdxgok.dll access is denied. Make sure the disk is not full or write protected and that the file is not currently in use.

Sorry.

Edit:

For whatever it's wroth though, I can now go to the Microsoft and Eset website. I'm unable to visit others that I've used to be able to. wacko.gif Also, Avira has been going berserk every time I click on the file so that I can "try" to delete it. It says that that file is a TR/Dropper.Gen thing. I hope that helps.

Edit again:

It just occurred to me that maybe I can delete in via the command prompt. So I navigated to the c:\windows\system32 folder. Then tried to delete the file. It said file not found. Did a dir /ah, and it showed the file. Then tried changing the attributes, but got a: Access denied - C:\WINDOWS\system32\tzgdxgok.dll.

ETA yet again:

I don't know what's going on, but ever since I tried to delete the file, Avira has really been going nuts. It keeps on detecting worms and trojans in the Temporary Internet files folder 95% of the time (the remaining 5% is the system32 folder, and it detects a file named "x." So what happens is, whenever I'm online, avira detects the "viruses." Then it asks me what to do. I either delete or move the files to quarantine. It's going to be okay for about a few seconds, then afterward it detects new files. The process has been going on for the last 4 hours, since I first posted this.

Edited by Althaia, 30 August 2010 - 06:12 AM.


#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 30 August 2010 - 06:57 AM

Hi
OK please do this.

Go to Start > Run then copy and paste the following text into the Open field:

"%userprofile%\desktop\mbr.exe" -f

Reboot your computer right after you do this.

Next, double click on the mbr.exe file and post the contents of the mbr.log


Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the icon on your desktop.
  • Paste the following code under the area. Do not include the word "Code".
    CODE
    :files
    c:\windows\system32\tzgdxgok.dll
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please post the logs

Thanks
maranatha

Edited by maranatha, 30 August 2010 - 07:05 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 30 August 2010 - 10:00 AM

Will do so ASAP. At the moment, the computer is unable to connect to the internet. Avira has been going nuts, and has been detecting viruses left and right whenever I connect to the internet. I've just been quarantine-ing and/or deleting what it finds. The error message I've been getting is:

Date Execution Prevention - Microsoft Windows
------------------------------------------------------

To help protect your computer, Windows has closed this program.

Name: Generic Host Process for Win32 Services
Publisher: Microsoft Corporation

[Close Message]
---------------------------------------------------------------------------
Data Execution Prevention helps protect against damage from viruses and other
security threats. What should I do?


======

I borrowed another computer, and I'm using that to follow your instructions. Thank you for bearing with me.

Edit: Uhm, Where can I get mbr.exe? <-- Googled mbr.exe and found a link to it at: http://www2.gmer.net/mbr/mbr.exe. I hope that's the right place.

Edited by Althaia, 30 August 2010 - 10:10 AM.


#13 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 30 August 2010 - 10:28 AM

mbr.log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

TDSS Log:
2010/08/30 23:15:25.0453 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42
2010/08/30 23:15:25.0453 ================================================================================
2010/08/30 23:15:25.0453 SystemInfo:
2010/08/30 23:15:25.0453
2010/08/30 23:15:25.0453 OS Version: 5.1.2600 ServicePack: 2.0
2010/08/30 23:15:25.0484 Product type: Workstation
2010/08/30 23:15:25.0484 ComputerName: PTA-3E7E31
2010/08/30 23:15:25.0484 UserName: Jan 2010
2010/08/30 23:15:25.0484 Windows directory: C:\WINDOWS
2010/08/30 23:15:25.0484 System windows directory: C:\WINDOWS
2010/08/30 23:15:25.0515 Processor architecture: Intel x86
2010/08/30 23:15:25.0515 Number of processors: 1
2010/08/30 23:15:25.0515 Page size: 0x1000
2010/08/30 23:15:25.0515 Boot type: Normal boot
2010/08/30 23:15:25.0515 ================================================================================
2010/08/30 23:15:26.0609 Initialize success
2010/08/30 23:15:33.0671 ================================================================================
2010/08/30 23:15:33.0671 Scan started
2010/08/30 23:15:33.0671 Mode: Manual;
2010/08/30 23:15:33.0671 ================================================================================
2010/08/30 23:15:42.0000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/30 23:15:42.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/30 23:15:43.0078 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/08/30 23:15:43.0875 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/08/30 23:15:45.0234 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/08/30 23:15:46.0781 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/30 23:15:47.0218 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/30 23:15:47.0656 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/30 23:15:48.0109 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/30 23:15:48.0765 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/08/30 23:15:49.0265 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/08/30 23:15:49.0625 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/08/30 23:15:50.0015 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/30 23:15:50.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/30 23:15:50.0843 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/30 23:15:51.0375 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/30 23:15:51.0609 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/30 23:15:51.0984 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/30 23:15:53.0031 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/30 23:15:53.0359 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/30 23:15:53.0734 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/30 23:15:53.0921 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/30 23:15:54.0062 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/30 23:15:54.0406 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/30 23:15:54.0625 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/30 23:15:54.0828 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/30 23:15:55.0078 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/08/30 23:15:55.0265 FETNDISB (a583bc166495b07f704533754ce29cbd) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
2010/08/30 23:15:55.0531 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/30 23:15:55.0703 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/30 23:15:55.0906 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/30 23:15:56.0093 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/30 23:15:56.0375 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/30 23:15:56.0671 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2010/08/30 23:15:56.0968 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/30 23:15:57.0187 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/30 23:15:57.0593 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/30 23:15:57.0828 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/30 23:15:58.0109 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/30 23:15:58.0640 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/08/30 23:15:59.0109 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/08/30 23:15:59.0484 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/30 23:15:59.0656 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/30 23:15:59.0812 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/30 23:15:59.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/30 23:16:00.0078 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/30 23:16:00.0218 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/30 23:16:00.0390 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/30 23:16:00.0546 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/30 23:16:00.0687 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/30 23:16:00.0796 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/30 23:16:00.0921 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/30 23:16:01.0015 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/30 23:16:01.0203 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/30 23:16:01.0578 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/30 23:16:01.0718 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/08/30 23:16:01.0859 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/08/30 23:16:02.0046 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/30 23:16:02.0218 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/30 23:16:02.0359 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/30 23:16:02.0515 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/30 23:16:02.0640 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/30 23:16:02.0750 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/30 23:16:02.0859 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/30 23:16:02.0968 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/30 23:16:03.0171 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/30 23:16:03.0343 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/30 23:16:03.0484 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/30 23:16:03.0625 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/30 23:16:03.0750 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/30 23:16:03.0859 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/30 23:16:03.0984 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/30 23:16:04.0140 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/30 23:16:04.0281 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/30 23:16:04.0375 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/30 23:16:04.0437 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/30 23:16:04.0546 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/30 23:16:04.0750 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/30 23:16:04.0828 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/30 23:16:04.0937 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/30 23:16:05.0109 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/30 23:16:05.0281 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/30 23:16:05.0500 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/30 23:16:05.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/30 23:16:05.0796 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/30 23:16:05.0906 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/30 23:16:06.0093 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/30 23:16:06.0234 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/30 23:16:06.0437 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/30 23:16:06.0531 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/30 23:16:06.0703 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/30 23:16:06.0812 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/30 23:16:07.0234 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/30 23:16:07.0515 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/30 23:16:07.0781 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/30 23:16:07.0968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/30 23:16:08.0062 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/30 23:16:08.0500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/30 23:16:08.0593 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/30 23:16:08.0703 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/30 23:16:08.0796 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/30 23:16:08.0921 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/30 23:16:09.0109 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/30 23:16:09.0234 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/30 23:16:09.0406 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/30 23:16:09.0531 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/30 23:16:09.0671 RimVSerPort (32d6ab810537ce38cbffe04ed9f6709a) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/08/30 23:16:09.0781 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/08/30 23:16:09.0906 RushTopDevice (5f8b43d0bcc1c3ba878e72470f1df79e) C:\WINDOWS\INF\MSI\SlowDownCPU\RushTop.sys
2010/08/30 23:16:10.0031 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/30 23:16:10.0125 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/30 23:16:10.0218 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/30 23:16:10.0390 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/30 23:16:10.0562 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/30 23:16:10.0671 SlowDownCPU (9c834889b33e1c39bcc016e9d5fd16ae) C:\WINDOWS\INF\MSI\SlowDownCPU\NTGLM7X.sys
2010/08/30 23:16:10.0796 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/30 23:16:10.0968 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/30 23:16:11.0171 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/30 23:16:11.0328 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/08/30 23:16:11.0437 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/30 23:16:11.0562 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/30 23:16:11.0671 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/30 23:16:11.0843 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/30 23:16:11.0968 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/30 23:16:12.0140 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/30 23:16:12.0312 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/30 23:16:12.0437 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/30 23:16:12.0703 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/30 23:16:12.0843 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/30 23:16:12.0984 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/30 23:16:13.0093 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/30 23:16:13.0187 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/30 23:16:13.0359 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/30 23:16:13.0453 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/30 23:16:13.0562 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/30 23:16:13.0671 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/30 23:16:13.0765 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/08/30 23:16:13.0875 viagfx (8415d39e3f95e27f5247072c78812c24) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/08/30 23:16:13.0984 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/08/30 23:16:14.0140 VIAudio (2e1ffc794290d9b16f1db1084583e655) C:\WINDOWS\system32\drivers\vinyl97.sys
2010/08/30 23:16:14.0265 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/30 23:16:14.0375 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/30 23:16:14.0437 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/30 23:16:14.0625 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/08/30 23:16:15.0234 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/08/30 23:16:15.0406 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/30 23:16:15.0546 ================================================================================
2010/08/30 23:16:15.0546 Scan finished
2010/08/30 23:16:15.0546 ================================================================================
2010/08/30 23:16:34.0875 Deinitialize success

OTM log:
All processes killed
========== FILES ==========
LoadLibrary failed for c:\windows\system32\tzgdxgok.dll
c:\windows\system32\tzgdxgok.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Jan 2010
->Temp folder emptied: 4349074 bytes
->Temporary Internet Files folder emptied: 1731132 bytes
->Java cache emptied: 9098681 bytes
->FireFox cache emptied: 38186502 bytes
->Flash cache emptied: 404544 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 250703 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 371852 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 54.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08302010_231936

Files moved on Reboot...

Registry entries deleted on Reboot...


#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:01:01 PM

Posted 30 August 2010 - 08:47 PM

Hi
Are you using a router? If so please reset it.

Open a command window and type the following commands, hitting enter after each.

ipconfig /release

ipconfig /flushdns

ipconfig /renew


Now Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box copy and paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy the contents of these files, one at a time, and post them back here.


Thanks
maranatha

Edited by maranatha, 30 August 2010 - 09:25 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 Althaia

Althaia
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 31 August 2010 - 11:12 AM

Hi,

Still using a different computer to go online.

ipconfig /renew

gets a timeout error message. I don't have a router too.



OTL.txt

OTL logfile created on: 8/31/2010 11:47:21 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Jan 2010\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 89.00 Mb Available Physical Memory | 20.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 65.54 Gb Free Space | 85.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PTA-3E7E31
Current User Name: Jan 2010
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/31 23:49:26 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTL.exe
PRC - [2010/08/12 20:15:19 | 001,355,416 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/08/12 20:15:19 | 000,864,624 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/10/01 16:31:54 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2004/08/04 12:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/31 23:49:26 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTL.exe
MOD - [2004/08/04 12:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 11:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/08/12 20:15:19 | 001,355,416 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/10/30 15:01:00 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTGLM7X.sys -- (SetupNTGLM7X)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LV532AV.SYS -- (PID_0920) Logitech QuickCam Express(PID_0920)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\NTACCESS.sys -- (NTACCESS)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\install4\MSICPL.sys -- (MSICPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/08/12 20:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/08/12 20:15:19 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/06/08 15:13:00 | 000,025,088 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\inf\MSI\SlowDownCPU\NTGLM7X.SYS -- (SlowDownCPU)
DRV - [2005/06/08 12:02:06 | 000,033,280 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\inf\MSI\SlowDownCPU\RushTop.sys -- (RushTopDevice)
DRV - [2005/03/09 14:53:00 | 000,036,352 | R--- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/09/06 16:01:56 | 000,161,536 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15161&l=dis
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com.ph/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/23 14:02:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/03 10:54:51 | 000,000,000 | ---D | M]

[2009/12/11 08:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Extensions
[2009/12/11 08:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/08/31 11:26:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\extensions
[2010/08/28 03:32:54 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/07 05:19:09 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/05/01 11:29:29 | 000,002,426 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Application Data\Mozilla\Firefox\Profiles\wvuoetr1.default\searchplugins\askcom.xml
[2010/08/31 11:26:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/12 12:44:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/08/31 02:08:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\npmozax@real.com
[2010/07/12 12:44:04 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/05 06:36:47 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2008/11/08 20:29:19 | 000,279,888 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
[2009/03/30 17:13:54 | 000,098,304 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npraclient.dll

O1 HOSTS File: ([2010/08/30 09:43:46 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} http://utilities.pcpitstop.com/Exterminate...opAntiVirus.dll (PCPitstop AntiVirus)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jan 2010\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jan 2010\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/17 20:15:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/31 23:43:11 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTL.exe
[2010/08/30 23:19:36 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/08/30 23:15:10 | 001,207,120 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jan 2010\Desktop\TDSSKiller.exe
[2010/08/30 23:11:38 | 000,520,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTM.exe
[2010/08/30 18:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/08/30 12:36:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/30 11:32:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Avira
[2010/08/30 11:04:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/30 09:42:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/08/29 17:54:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/29 17:53:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Application Data\Avira
[2010/08/29 17:38:34 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/08/29 17:38:32 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/08/29 17:38:32 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/08/29 17:38:32 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/08/29 17:38:32 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/08/29 17:38:18 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/08/29 17:38:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/08/28 23:06:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Application Data\RenPy
[2010/08/28 23:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\RE Alistair++
[2010/08/27 00:31:29 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/27 00:27:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/27 00:27:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/27 00:27:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/27 00:27:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/27 00:27:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/27 00:27:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/26 00:21:07 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/08/25 22:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Application Data\Malwarebytes
[2010/08/25 22:30:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/25 22:30:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/25 22:30:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/25 22:30:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/25 22:14:31 | 000,000,000 | ---D | C] -- C:\Program Files\PCPitstop
[2010/08/25 17:44:50 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/24 05:41:00 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/08/24 01:19:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Local Settings\Application Data\Sunbelt Software
[2010/08/23 22:50:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2010/08/23 22:49:10 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/08/23 22:49:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/08/23 14:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/08/23 14:41:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/08/23 09:45:25 | 000,000,000 | ---D | C] -- C:\Program Files\Emsisoft Anti-Malware
[2010/08/23 09:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\My Documents\Anti-Malware
[2010/08/19 19:29:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150050}
[2010/08/18 23:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Desktop\for export
[2010/08/17 03:26:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\topaz adjust
[2010/08/17 02:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Adobe Photoshop Lightroom
[2010/08/17 02:06:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Noiseware
[2010/08/16 17:07:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jan 2010\My Documents\My Dropbox
[2010/08/16 17:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Application Data\Dropbox
[2010/08/12 19:19:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Application Data\PrimoPDF
[2010/08/12 18:29:05 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2010/07/24 11:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/07/17 22:07:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jan 2010\Recent
[2010/07/16 19:05:37 | 000,000,000 | ---D | C] -- C:\New Folder
[2010/07/12 12:46:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/12 12:43:55 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/04 20:41:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/06/18 11:05:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2010/06/12 20:43:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jan 2010\Desktop\RBSR2010
[2 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[2 C:\Documents and Settings\Jan 2010\My Documents\*.tmp files -> C:\Documents and Settings\Jan 2010\My Documents\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/31 23:49:26 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTL.exe
[2010/08/31 23:46:28 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\Jan 2010\NTUSER.DAT
[2010/08/31 20:18:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/31 20:16:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/31 20:16:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/31 20:15:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jan 2010\ntuser.ini
[2010/08/31 20:15:29 | 006,944,168 | -H-- | M] () -- C:\Documents and Settings\Jan 2010\Local Settings\Application Data\IconCache.db
[2010/08/31 16:10:35 | 000,000,025 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/08/30 23:25:50 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\mbr.exe
[2010/08/30 23:10:48 | 000,520,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jan 2010\Desktop\OTM.exe
[2010/08/30 23:10:02 | 001,142,139 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\tdsskiller.zip
[2010/08/30 09:44:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/30 09:43:46 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/30 09:35:15 | 003,830,790 | R--- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\ComboFix.exe
[2010/08/30 09:25:26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/29 17:38:54 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/27 12:45:48 | 000,004,380 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\prof.JPG
[2010/08/27 12:44:01 | 000,042,178 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\40409_463001757867_559372867_6620264_2672420_n.jpg
[2010/08/27 09:09:12 | 000,016,113 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\newspaper copy.docx
[2010/08/27 08:54:52 | 001,207,120 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jan 2010\Desktop\TDSSKiller.exe
[2010/08/27 00:31:34 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/26 00:25:48 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/25 22:30:38 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/25 17:44:50 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/25 10:20:50 | 000,030,015 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\Chili.docx
[2010/08/24 19:30:03 | 000,016,269 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\reviewer in math - mao - first quarter.docx
[2010/08/23 22:49:59 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/08/23 14:41:58 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\Spybot - Search & Destroy.lnk
[2010/08/17 02:03:45 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\YouTube Downloader.lnk
[2010/08/17 01:56:26 | 000,011,978 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\muli review.docx
[2010/08/16 17:54:11 | 000,013,752 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\Precious Metals Report Outline.docx
[2010/08/16 17:19:04 | 000,679,547 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\733FF68Fd01.pdf
[2010/08/16 08:57:53 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\EDAD 201 TH - Case Study - Outline.doc
[2010/08/13 08:21:51 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\~$blic opinion - walter lippman - chapter 4 and 5.docx
[2010/08/13 08:21:50 | 000,110,190 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\public opinion - walter lippman - chapter 4 and 5.docx
[2010/08/12 20:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/08/12 20:15:20 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/08/12 19:34:31 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/08/12 19:18:28 | 000,071,346 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\public opinion - walter lippman - chapter 1 to 3.docx
[2010/08/12 18:29:43 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2010/08/12 18:29:08 | 000,000,314 | ---- | M] () -- C:\WINDOWS\primopdf.ini
[2010/08/07 18:55:23 | 000,015,978 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\JPEPA features that are relevant to the automobile industry.docx
[2010/08/06 09:48:20 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/05 22:52:43 | 000,014,008 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\The Alternative Press.docx
[2010/08/01 06:18:07 | 000,016,048 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\EdAd 222.docx
[2010/07/30 07:06:25 | 000,015,196 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\rekrut review.docx
[2010/07/26 17:11:28 | 000,000,025 | ---- | M] () -- C:\Documents and Settings\Jan 2010\Desktop\popcinfot.dat
[2010/07/21 02:02:21 | 000,011,837 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\J 103 - protest movements.docx
[2010/07/16 09:52:09 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\Rebyu ng Halo.doc
[2010/07/16 09:52:01 | 000,013,876 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\Rebyu ng Halo.docx
[2010/07/13 16:41:04 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\~$byu ng Halo.docx
[2010/07/02 07:03:47 | 000,012,042 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\Ang Dalawang Mukha ng Toy Story 3.docx
[2010/07/02 07:03:08 | 000,051,200 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\mulan.doc
[2010/06/18 16:22:40 | 000,071,168 | ---- | M] () -- C:\Documents and Settings\Jan 2010\My Documents\danny arao columns.doc
[2 C:\Documents and Settings\Jan 2010\My Documents\*.tmp files -> C:\Documents and Settings\Jan 2010\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/30 23:11:38 | 001,142,139 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\tdsskiller.zip
[2010/08/30 23:11:38 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\mbr.exe
[2010/08/30 18:46:44 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/08/29 17:38:53 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/08/29 11:59:08 | 003,830,790 | R--- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\ComboFix.exe
[2010/08/27 12:45:48 | 000,004,380 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\prof.JPG
[2010/08/27 12:43:58 | 000,042,178 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\40409_463001757867_559372867_6620264_2672420_n.jpg
[2010/08/27 08:35:57 | 000,016,113 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\newspaper copy.docx
[2010/08/27 00:31:34 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/27 00:31:32 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/27 00:27:57 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/27 00:27:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/27 00:27:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/27 00:27:57 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/27 00:27:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/26 00:25:48 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/25 22:30:38 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/25 08:52:51 | 000,030,015 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\Chili.docx
[2010/08/24 19:30:03 | 000,016,269 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\reviewer in math - mao - first quarter.docx
[2010/08/24 06:28:46 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/08/24 05:42:33 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/23 22:49:59 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/08/23 14:41:58 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\Spybot - Search & Destroy.lnk
[2010/08/17 02:03:45 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\YouTube Downloader.lnk
[2010/08/16 22:32:31 | 000,011,978 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\muli review.docx
[2010/08/16 17:54:07 | 000,013,752 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\Precious Metals Report Outline.docx
[2010/08/16 17:27:10 | 000,679,547 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\733FF68Fd01.pdf
[2010/08/16 08:57:52 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\EDAD 201 TH - Case Study - Outline.doc
[2010/08/13 08:21:51 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\~$blic opinion - walter lippman - chapter 4 and 5.docx
[2010/08/13 08:21:49 | 000,110,190 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\public opinion - walter lippman - chapter 4 and 5.docx
[2010/08/12 19:34:10 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/08/12 18:29:43 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2010/08/12 18:29:09 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2010/08/12 18:28:57 | 000,071,346 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\public opinion - walter lippman - chapter 1 to 3.docx
[2010/08/05 20:13:14 | 000,014,008 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\The Alternative Press.docx
[2010/08/04 17:08:45 | 000,015,978 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\JPEPA features that are relevant to the automobile industry.docx
[2010/08/01 05:48:52 | 000,016,048 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\EdAd 222.docx
[2010/07/30 06:53:02 | 000,015,196 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\rekrut review.docx
[2010/07/20 22:00:05 | 000,011,837 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\J 103 - protest movements.docx
[2010/07/16 09:52:08 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\Rebyu ng Halo.doc
[2010/07/13 16:41:04 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\~$byu ng Halo.docx
[2010/07/13 16:41:03 | 000,013,876 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\Rebyu ng Halo.docx
[2010/07/02 05:19:40 | 000,051,200 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\mulan.doc
[2010/07/01 22:45:47 | 000,012,042 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\Ang Dalawang Mukha ng Toy Story 3.docx
[2010/06/18 07:31:37 | 000,071,168 | ---- | C] () -- C:\Documents and Settings\Jan 2010\My Documents\danny arao columns.doc
[2010/06/11 17:19:53 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Desktop\popcinfot.dat
[2010/05/05 07:10:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WinInit.ini
[2010/05/01 17:58:38 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/03/07 08:28:02 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Jan 2010\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/21 09:42:18 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2009/10/23 02:03:09 | 000,108,912 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/01/31 20:18:52 | 000,000,049 | ---- | C] () -- C:\WINDOWS\qtw.ini
[2008/11/14 15:05:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2008/10/02 01:34:17 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/10/02 01:13:42 | 000,022,211 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/09/18 09:21:56 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2004/08/04 12:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/07/17 23:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2010/04/03 14:43:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2010/08/30 18:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/06/18 11:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/11/30 17:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/08/23 22:50:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2010/08/16 19:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\Dropbox
[2010/04/06 12:38:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\fretsonfire
[2010/08/12 19:19:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\PrimoPDF
[2010/08/30 00:14:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jan 2010\Application Data\RenPy
[2010/08/31 20:18:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/07/31 21:51:07 | 000,442,392 | ---- | M] (Symantec Corporation) -- C:\FixBrisvA.exe


< MD5 for: AGP440.SYS >
[2004/08/04 13:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 13:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 10:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 10:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 12:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 12:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 12:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/04 12:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 12:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 12:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 12:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 12:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 12:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/09/17 15:55:52 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/09/17 15:55:52 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/09/17 15:55:52 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users