Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 homepage hijacked by www.6700.cn


  • This topic is locked This topic is locked
17 replies to this topic

#1 samatar

samatar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 16 September 2010 - 07:23 PM


I have already tried several tools but was unable to get rid of this..
Here's my hijackthis log. Thanks a lot!


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:20:53 AM, on 9/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {589E405E-6C09-4341-862A-FFFEBD5C3C8C} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon-Pro\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Centra Launcher] C:\Program Files\Centra\Client\bin\centraSystray.exe /startup
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?e50b0d39614d4839b3b204b095624854
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?e50b0d39614d4839b3b204b095624854
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mapi32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://centrasrv.cet.ac.il/SiteRoots/main/...raUpdaterAx.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {22055A00-27C0-438B-BF53-44E973A4C48A} (VPlayer Control) - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: biroas.dll lensch.dll thermnc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: ????? Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: MSI_WLAN_Service - Unknown owner - C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 13336 bytes


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 16 September 2010 - 08:36 PM

Hi samatar,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Step2
  1. Please download OTL and save it to your desktop.
  2. Double click on the icon on your desktop.
  3. Click the "Scan All Users" checkbox.
  4. Under the Custom Scan box paste the following bolded text:


    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90


  5. Click the "Quick Scan" button.
  6. The scan should take just a few minutes.
  7. OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  8. Copy and paste both logs back here in your next reply.



In your next reply, please post back:


1.MBAM log
2.OTListIt.txt and Extra.txt Thanks.

#3 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 05:34 AM

Thank you so much for your help, sundavis! I performed the scans and here are the results:

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4638

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/17/2010 12:14:17 PM
mbam-log-2010-09-17 (12-14-17).txt

Scan type: Quick scan
Objects scanned: 147747
Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protectedstori (Extension.Mismatch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOGKILLER (Worm.Megania) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.6700.cn?tn=102733) Good: (http://www.Google.com) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.6700.cn?tn=102733) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\samh.log (Extension.Mismatch) -> Quarantined and deleted successfully.

------------------------------------------------------------------------------------------------------------------------


OTL:

Warning message appeared in the tray during the scan which reads:
OTL:OTL.exe - Corrupt Fiile
The file or directory
\WINDOWS\SoftwareDistribution\Download\Install is corrupt and unreadable. Please run ..something (the bubble disappeared while writing).

At any rate here are the logs:
OTL.Txt:

OTL logfile created on: 9/17/2010 12:21:40 PM - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\USER\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: ארצות הברית | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 108.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): c:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.07 Gb Total Space | 2.26 Gb Free Space | 5.79% Space Free | Partition Type: FAT32
Drive D: | 35.44 Gb Total Space | 6.82 Gb Free Space | 19.25% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VICTOR
Current User Name: USER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/17 12:20:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER\Desktop\OTL.exe
PRC - [2010/05/06 23:59:42 | 002,815,192 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/08 09:15:26 | 003,233,752 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/06 18:21:00 | 000,224,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Toolbar\wltuser.exe
PRC - [2008/10/28 18:45:18 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/10/09 12:49:24 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2007/09/20 04:48:52 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2004/07/29 15:04:42 | 002,052,173 | ---- | M] (Babylon Ltd.) -- C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
PRC - [2002/06/18 14:04:54 | 000,503,808 | ---- | M] () -- D:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
PRC - [2002/06/18 03:37:22 | 001,515,566 | ---- | M] (The MathWorks Inc.) -- d:\MATLAB6p5\bin\win32\matlab.exe


========== Modules (SafeList) ==========

MOD - [2010/09/17 12:20:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER\Desktop\OTL.exe
MOD - [2007/09/20 06:35:28 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/03 22:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/07/29 14:57:58 | 000,110,592 | ---- | M] (Babylon Ltd.) -- C:\Program Files\Babylon\Babylon-Pro\captlib.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - File not found [Unknown | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\Fonts\BF979708.EXE -- (560C3A5D)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/05/06 23:59:38 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/08 09:14:22 | 000,632,792 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2009/09/20 15:46:00 | 003,474,384 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/10/09 12:49:24 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/09/27 12:01:36 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\WINDOWS\icpb.dll -- (IPRIP)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2004/08/03 23:56:58 | 000,026,112 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\skeys.exe -- (SerialKeys)
SRV - [2004/05/11 14:43:00 | 000,180,224 | ---- | M] () [Auto | Stopped] -- C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe -- (MSI_WLAN_Service)
SRV - [2003/04/07 22:21:46 | 000,065,795 | R--- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/06/18 14:04:54 | 000,503,808 | ---- | M] () [Auto | Running] -- D:\MATLAB6p5\webserver\bin\win32\matlabserver.exe -- (matlabserver)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Senfilt.sys -- (SenFiltService)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys -- (FETNDIS)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys -- (dump_wmimmc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\USER\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\AEAudio.sys -- (AEAudioService)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2010/05/06 23:39:24 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/05/06 23:39:00 | 000,164,048 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/05/06 23:34:28 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/05/06 23:34:00 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/05/06 23:33:48 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/05/06 23:33:30 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2007/09/20 11:33:18 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService)
DRV - [2007/09/20 04:55:58 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/09/20 04:33:16 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/27 14:13:56 | 000,611,064 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2005/01/01 12:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\npptNT2.sys -- (NPPTNT2)
DRV - [2004/10/08 03:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/22 16:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 16:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)
DRV - [2004/08/13 04:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/04 01:07:00 | 000,028,576 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\oknjd.sys -- (oknjd)
DRV - [2004/08/03 22:41:46 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/03 22:41:46 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 22:41:44 | 000,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2004/08/03 22:41:40 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/03 22:41:40 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/03 22:41:40 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/08/03 22:41:38 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2004/08/03 22:03:36 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2004/03/15 10:03:18 | 000,104,448 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\M2500.sys -- (M2500)
DRV - [2004/03/11 23:43:50 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2003/07/01 21:26:16 | 000,016,128 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)
DRV - [2002/12/02 09:33:08 | 000,250,368 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2002/11/26 15:40:16 | 000,008,576 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2001/08/23 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2001/08/23 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 14:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733

IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.com/results.aspx?q={sea...ferrer:source?}
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.Google.com/
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1390067357-839522115-1957994488-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1390067357-839522115-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2001/08/23 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (no name) - {589E405E-6C09-4341-862A-FFFEBD5C3C8C} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Babylon) - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon-Pro\Babylon Toolbar\BabylonIEToolBar.dll (Babylon Ltd.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {26E71720-56EE-4656-B61D-FA7C89CD8DCD} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {26E71720-56EE-4656-B61D-FA7C89CD8DCD} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\Toolbar\WebBrowser: (Babylon) - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon-Pro\Babylon Toolbar\BabylonIEToolBar.dll (Babylon Ltd.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe (Babylon Ltd.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004..\Run: [Centra Launcher] C:\Program Files\Centra\Client\bin\centraSystray.exe ()
O4 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found
O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1390067357-839522115-1957994488-500\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1390067357-839522115-1957994488-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O8 - Extra context menu item: Open in new background tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Open in new foreground tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Translate with &Babylon - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll (Babylon Ltd.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\System32\mapi32.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} http://centrasrv.cet.ac.il/SiteRoots/main/...raUpdaterAx.cab (CentraUpdaterAxCtl Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {22055A00-27C0-438B-BF53-44E973A4C48A} http://thesecret.tv/movie/player/vivid_ocx.jpeg (VPlayer Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (ZoneIntro Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (Solitaire Showdown Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (biroas.dll) - File not found
O20 - AppInit_DLLs: (lensch.dll) - File not found
O20 - AppInit_DLLs: (thermnc.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {589E405E-6C09-4341-862A-FFFEBD5C3C8C} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/06/16 00:25:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2005/02/26 14:35:30 | 000,000,095 | ---- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
O33 - MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell - "" = AutoRun
O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell\Auto\command - "" = G:\auto.exe -- File not found
O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell - "" = AutoRun
O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell - "" = AutoRun
O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell\Auto\command - "" = G:\auto.exe -- File not found
O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\System32\wzcdlg.dll -- [2007/09/20 04:35:22 | 000,383,488 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/17 12:20:21 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\USER\Desktop\OTL.exe
[2010/09/17 12:03:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/17 12:03:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/17 12:03:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/15 12:09:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\USER\Local Settings\Application Data\PCHealth
[2010/09/15 00:32:58 | 000,000,000 | -HSD | C] -- C:\FOUND.006
[2010/09/11 16:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\USER\Desktop\RAR
[2010/09/11 13:58:18 | 000,000,000 | -HSD | C] -- C:\FOUND.005
[2010/09/08 18:59:56 | 000,000,000 | -HSD | C] -- C:\FOUND.004
[2010/08/29 12:36:50 | 000,000,000 | -HSD | C] -- C:\FOUND.003
[2010/08/09 15:26:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\USER\Desktop\New Folder
[2010/07/31 20:44:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\USER\Desktop\Das Weisse Rauschen
[2008/01/14 18:31:21 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2008/01/14 18:31:20 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\USER\My Documents\*.tmp files -> C:\Documents and Settings\USER\My Documents\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/17 12:20:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\USER\Desktop\OTL.exe
[2010/09/17 12:17:40 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/17 12:17:26 | 000,000,872 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/17 12:17:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/17 12:16:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/17 12:16:20 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\USER\NTUSER.DAT
[2010/09/17 12:15:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\USER\ntuser.ini
[2010/09/17 11:51:04 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/17 02:29:02 | 000,094,720 | ---- | M] () -- C:\Documents and Settings\USER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/17 00:27:00 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\USER\My Documents\pcprob.doc
[2010/09/16 21:34:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/16 01:49:04 | 000,000,472 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for USER.job
[2010/09/15 19:00:02 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule_219.job
[2010/09/15 11:56:40 | 469,123,072 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/09/13 15:44:46 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/09/13 15:44:46 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/09/12 12:03:00 | 000,278,944 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/11 18:17:02 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/09/08 19:59:16 | 001,464,832 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\Electric Cat1211alog 2009.doc
[2010/09/08 19:52:48 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\USER\Desktop\~$ectric Catalog 2009.doc
[2010/09/08 19:52:46 | 001,223,168 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\Electric Catalog 2009.doc
[2010/09/08 04:03:22 | 000,796,778 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\Electric%20Catalog%202009.pdf
[2010/09/01 22:46:58 | 000,028,180 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\final_eternity_algorythm1.exe
[2010/09/01 22:37:08 | 000,014,760 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\lalalal.cpp
[2010/09/01 22:34:10 | 000,014,760 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\final_eternity_algorythm1.cpp
[2010/09/01 21:41:38 | 000,022,838 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\Untitled10.exe
[2010/09/01 21:41:38 | 000,010,894 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\Untitled10.cpp
[2010/08/25 03:04:40 | 000,023,797 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\final_eternity.exe
[2010/08/25 03:00:36 | 000,011,443 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\final_eternity.cpp
[2010/07/19 19:34:28 | 000,407,040 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\merge_sort_full.ppt
[2010/07/19 19:10:26 | 000,150,016 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\InstructionSet.ppt
[2010/07/16 23:41:30 | 000,446,976 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\DRAM_simplified_datasheet2.ppt
[2010/07/16 20:42:40 | 000,369,152 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\tutorial9.ppt
[2010/07/16 20:12:40 | 000,130,560 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\ProcedureCalls.ppt
[2010/07/16 20:11:52 | 000,821,248 | ---- | M] () -- C:\Documents and Settings\USER\Desktop\SingleCycle.ppt
[2010/06/25 16:47:06 | 000,008,793 | ---- | M] () -- C:\Documents and Settings\USER\gsview32.ini
[2010/06/23 03:02:44 | 000,501,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 03:02:44 | 000,441,456 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 03:02:44 | 000,071,408 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\USER\My Documents\*.tmp files -> C:\Documents and Settings\USER\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/17 00:26:59 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\USER\My Documents\pcprob.doc
[2010/09/13 15:44:45 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/09/13 15:44:45 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/09/08 19:59:13 | 001,464,832 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\Electric Cat1211alog 2009.doc
[2010/09/08 19:52:47 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\USER\Desktop\~$ectric Catalog 2009.doc
[2010/09/08 19:52:42 | 001,223,168 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\Electric Catalog 2009.doc
[2010/09/08 04:03:20 | 000,796,778 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\Electric%20Catalog%202009.pdf
[2010/09/01 22:37:07 | 000,014,760 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\lalalal.cpp
[2010/09/01 15:57:12 | 000,022,838 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\Untitled10.exe
[2010/09/01 15:45:29 | 000,010,894 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\Untitled10.cpp
[2010/09/01 14:16:09 | 000,028,180 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\final_eternity_algorythm1.exe
[2010/08/31 12:58:42 | 000,014,760 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\final_eternity_algorythm1.cpp
[2010/07/19 19:34:26 | 000,407,040 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\merge_sort_full.ppt
[2010/07/19 19:10:28 | 000,150,016 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\InstructionSet.ppt
[2010/07/16 23:41:28 | 000,446,976 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\DRAM_simplified_datasheet2.ppt
[2010/07/16 20:42:40 | 000,369,152 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\tutorial9.ppt
[2010/07/16 20:12:40 | 000,130,560 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\ProcedureCalls.ppt
[2010/07/16 20:11:50 | 000,821,248 | ---- | C] () -- C:\Documents and Settings\USER\Desktop\SingleCycle.ppt
[2010/03/02 11:46:08 | 000,000,327 | ---- | C] () -- C:\WINDOWS\DcmLtBox.ini
[2009/03/10 22:18:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
[2009/01/30 23:16:01 | 000,001,939 | ---- | C] () -- C:\WINDOWS\tabled32.ini
[2008/10/19 18:45:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PAVSHRB.INI
[2008/10/16 19:04:37 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\sufost.ini
[2008/10/15 21:16:36 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\systemInfomations.ini
[2008/10/15 21:12:50 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\discard.ini
[2008/10/08 22:01:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/27 12:01:36 | 000,049,152 | ---- | C] () -- C:\WINDOWS\icpb.dll
[2008/02/28 23:05:18 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\USER\Local Settings\Application Data\fusioncache.dat
[2007/06/16 01:01:24 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\ab3cgtm.dll
[2007/03/30 16:51:41 | 000,000,158 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2007/03/30 16:35:35 | 000,148,992 | ---- | C] () -- C:\WINDOWS\System32\mllink5.dll
[2007/03/30 16:35:35 | 000,000,019 | ---- | C] () -- C:\WINDOWS\exlink.ini
[2007/03/27 10:55:48 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/01/31 19:37:39 | 000,007,326 | ---- | C] () -- C:\WINDOWS\msim_evl.ini
[2007/01/31 19:37:11 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\MSIMHELP.DLL
[2006/12/04 17:26:16 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2006/12/04 17:18:12 | 000,017,226 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/12/04 17:18:12 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/12/04 17:18:09 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/09/26 01:55:10 | 000,000,034 | ---- | C] () -- C:\WINDOWS\ARCHPR.INI
[2006/08/07 09:50:22 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\legitcheckcontrol.dll.bak
[2006/08/07 09:50:22 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
[2006/03/13 00:10:47 | 000,001,353 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/04/28 06:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 06:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/08/22 17:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2004/08/04 01:07:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\14D3x2.dll
[2004/08/04 01:07:00 | 000,028,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\oknjd.sys
[2004/08/03 23:56:44 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2004/08/03 23:56:44 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2004/08/03 23:56:44 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2004/08/03 23:56:44 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2004/08/03 23:56:44 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2004/03/17 10:29:20 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\Wlan.ini
[2004/03/02 09:43:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\WlanInstallDll.dll
[2004/01/27 14:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/27 14:13:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2003/09/26 19:42:10 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ZD12APP.dll
[2003/06/30 22:07:01 | 000,000,191 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/06/19 00:45:40 | 000,094,720 | ---- | C] () -- C:\Documents and Settings\USER\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/06/16 01:09:17 | 000,008,576 | R--- | C] () -- C:\WINDOWS\System32\drivers\srvkp.sys
[2003/06/16 01:08:47 | 000,015,066 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/06/16 01:08:46 | 000,032,738 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/06/16 01:07:59 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\setuplib.dll
[2003/06/16 01:02:48 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2003/06/16 01:02:48 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2003/06/16 01:02:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2003/06/16 01:02:39 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2003/06/16 00:54:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/07 22:21:58 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2001/10/28 17:43:08 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll

========== LOP Check ==========

[2005/09/04 01:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pixelStorm
[2006/08/03 20:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2006/09/28 13:34:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2009/08/21 17:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ICQ
[2010/06/15 16:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/18 22:29:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2003/06/30 19:25:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\InterTrust
[2005/07/26 17:43:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Kazaa Lite
[2006/07/03 10:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Design Science
[2007/05/27 11:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\ICQ
[2007/05/27 11:02:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\ICQ Toolbar
[2007/09/19 23:28:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Babylon
[2007/10/09 22:19:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\ICQLite
[2008/01/14 19:09:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\DWGeditor
[2009/09/25 21:36:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\USER\Application Data\ijjigame
[2009/10/26 21:48:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Centra
[2009/10/26 21:48:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Saba
[2009/11/04 01:06:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Dev-Cpp
[2010/05/05 22:40:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\Blitware
[2010/06/13 16:43:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\USER\Application Data\TeamViewer
[2006/01/21 01:05:06 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1057004624.job
[2010/09/15 19:00:02 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\RMSchedule_219.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2004/02/23 20:42:40 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2004/08/04 01:07:00 | 000,045,056 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\14D3x2.dll
[2010/05/06 13:41:50 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
[7 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2004/08/04 01:07:00 | 000,028,576 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\oknjd.sys

< %systemroot%\System32\config\*.sav >
[2008/10/19 14:55:56 | 012,058,624 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2008/10/19 14:55:56 | 031,457,280 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/10/19 14:55:56 | 000,524,288 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/10/19 14:43:24 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Files - Unicode (All) ==========
[2010/09/10 05:28:42 | 001,410,560 | ---- | M] ()(C:\Documents and Settings\USER\Desktop\??????? ?????? ????.doc) -- C:\Documents and Settings\USER\Desktop\הפקולטה להנדסת חשמל.doc
[2010/09/10 03:00:24 | 000,000,162 | -H-- | M] ()(C:\Documents and Settings\USER\Desktop\~$????? ?????? ????.doc) -- C:\Documents and Settings\USER\Desktop\~$קולטה להנדסת חשמל.doc
[2010/09/10 03:00:22 | 000,000,162 | -H-- | C] ()(C:\Documents and Settings\USER\Desktop\~$????? ?????? ????.doc) -- C:\Documents and Settings\USER\Desktop\~$קולטה להנדסת חשמל.doc
[2010/09/09 04:13:49 | 001,410,560 | ---- | C] ()(C:\Documents and Settings\USER\Desktop\??????? ?????? ????.doc) -- C:\Documents and Settings\USER\Desktop\הפקולטה להנדסת חשמל.doc
[2010/08/01 11:46:00 | 000,041,984 | ---- | M] ()(C:\Documents and Settings\USER\Desktop\?????_????1.doc) -- C:\Documents and Settings\USER\Desktop\קורות_חיים1.doc
[2009/10/14 20:49:19 | 000,041,984 | ---- | C] ()(C:\Documents and Settings\USER\Desktop\?????_????1.doc) -- C:\Documents and Settings\USER\Desktop\קורות_חיים1.doc
[2009/10/14 20:39:56 | 000,040,960 | ---- | M] ()(C:\Documents and Settings\USER\Desktop\? ? ? ? ? ? ? ? ?.doc) -- C:\Documents and Settings\USER\Desktop\ק ו ר ו ת ח י י ם.doc
[2009/10/13 20:45:04 | 000,051,712 | ---- | M] ()(C:\Documents and Settings\USER\Desktop\????? ???????? ?????? ????? ??????? ???.doc) -- C:\Documents and Settings\USER\Desktop\שאלון ביוגראפי מועמדי תכנית מצוינים באמ.doc
[2009/09/17 19:53:46 | 000,025,088 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\???3???.doc) -- C:\Documents and Settings\USER\My Documents\ساع3طخم.doc
[2009/09/17 17:28:21 | 000,025,088 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\???3???.doc) -- C:\Documents and Settings\USER\My Documents\ساع3طخم.doc
[2009/09/15 23:33:36 | 000,026,624 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ????.doc) -- C:\Documents and Settings\USER\My Documents\הנדסת חשמל.doc
[2009/09/14 23:09:35 | 000,026,624 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ????.doc) -- C:\Documents and Settings\USER\My Documents\הנדסת חשמל.doc
[2009/06/09 12:49:58 | 000,051,712 | ---- | M] ()(C:\????? ???????? ?????? ????? ??????? ???.doc) -- C:\שאלון ביוגראפי מועמדי תכנית מצוינים באמ.doc
[2009/06/09 12:49:56 | 000,051,712 | ---- | C] ()(C:\????? ???????? ?????? ????? ??????? ???.doc) -- C:\שאלון ביוגראפי מועמדי תכנית מצוינים באמ.doc
[2009/06/08 00:30:48 | 000,051,712 | ---- | C] ()(C:\Documents and Settings\USER\Desktop\????? ???????? ?????? ????? ??????? ???.doc) -- C:\Documents and Settings\USER\Desktop\שאלון ביוגראפי מועמדי תכנית מצוינים באמ.doc
[2009/05/05 21:07:53 | 000,040,960 | ---- | C] ()(C:\Documents and Settings\USER\Desktop\? ? ? ? ? ? ? ? ?.doc) -- C:\Documents and Settings\USER\Desktop\ק ו ר ו ת ח י י ם.doc
[2009/05/05 21:06:40 | 000,035,840 | ---- | M] ()(C:\Documents and Settings\USER\? ? ? ? ? ? ? ? ?.doc) -- C:\Documents and Settings\USER\ק ו ר ו ת ח י י ם.doc
[2009/02/07 00:35:24 | 000,020,480 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\???? ?????.doc) -- C:\Documents and Settings\USER\My Documents\שלום לכולם.doc
[2009/02/07 00:35:21 | 000,020,480 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\???? ?????.doc) -- C:\Documents and Settings\USER\My Documents\שלום לכולם.doc
[2008/06/29 01:51:38 | 000,034,304 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\תוכנת המקלט.doc
[2008/06/29 01:51:34 | 000,034,304 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\תוכנת המקלט.doc
[2008/06/26 02:17:38 | 002,604,032 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\??????.doc) -- C:\Documents and Settings\USER\My Documents\שיוךךך.doc
[2008/06/18 15:50:14 | 000,072,704 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\ppt1E [??????].ppt) -- C:\Documents and Settings\USER\My Documents\ppt1E [משוחזר].ppt
[2008/06/18 02:39:44 | 000,072,704 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\ppt1E [??????].ppt) -- C:\Documents and Settings\USER\My Documents\ppt1E [משוחזר].ppt
[2008/06/18 00:05:38 | 002,604,032 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\??????.doc) -- C:\Documents and Settings\USER\My Documents\שיוךךך.doc
[2008/05/16 01:00:58 | 000,030,208 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\?????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\فيزياء مختبر.doc
[2008/05/15 21:27:43 | 000,030,208 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\?????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\فيزياء مختبر.doc
[2008/03/27 00:48:52 | 000,385,536 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\??? ?????? ???????.doc) -- C:\Documents and Settings\USER\My Documents\شحن المكثف وتفريغه.doc
[2008/03/26 19:03:38 | 000,385,536 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\??? ?????? ???????.doc) -- C:\Documents and Settings\USER\My Documents\شحن المكثف وتفريغه.doc
[2008/03/03 00:10:56 | 000,055,296 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\??????? ?? ???????.doc) -- C:\Documents and Settings\USER\My Documents\التصادم في المستوى.doc
[2008/03/02 19:48:31 | 000,055,296 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\??????? ?? ???????.doc) -- C:\Documents and Settings\USER\My Documents\التصادم في المستوى.doc
[2008/02/17 23:26:54 | 000,228,352 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ????? ?? ???? lulu.doc) -- C:\Documents and Settings\USER\My Documents\تداخل الضوء من شقين lulu.doc
[2008/02/17 18:34:10 | 000,228,352 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ????? ?? ???? lulu.doc) -- C:\Documents and Settings\USER\My Documents\تداخل الضوء من شقين lulu.doc
[2008/02/04 01:00:38 | 000,083,456 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ??????? ?????????? ????.doc) -- C:\Documents and Settings\USER\My Documents\القوة الدافعة الكهربائية معمع.doc
[2008/02/03 18:25:29 | 000,083,456 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ??????? ?????????? ????.doc) -- C:\Documents and Settings\USER\My Documents\القوة الدافعة الكهربائية معمع.doc
[2008/01/17 00:01:06 | 000,075,776 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\??2??.doc) -- C:\Documents and Settings\USER\My Documents\לש2שצ.doc
[2008/01/16 21:16:54 | 000,075,776 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\??2??.doc) -- C:\Documents and Settings\USER\My Documents\לש2שצ.doc
[2008/01/09 21:36:16 | 000,024,064 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ???.doc) -- C:\Documents and Settings\USER\My Documents\قانون سنل.doc
[2008/01/09 21:36:14 | 000,024,064 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ???.doc) -- C:\Documents and Settings\USER\My Documents\قانون سنل.doc
[2007/12/30 20:48:36 | 000,067,072 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ??????.doc) -- C:\Documents and Settings\USER\My Documents\القذف الأفقي.doc
[2007/12/30 20:48:34 | 000,067,072 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ??????.doc) -- C:\Documents and Settings\USER\My Documents\القذف الأفقي.doc
[2007/12/23 01:42:40 | 000,023,552 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\?3????.doc) -- C:\Documents and Settings\USER\My Documents\ש3אןמן.doc
[2007/12/16 23:41:30 | 000,023,552 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\?3????.doc) -- C:\Documents and Settings\USER\My Documents\ש3אןמן.doc
[2006/10/08 20:24:48 | 000,023,040 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\?????? ?????????.doc) -- C:\Documents and Settings\USER\My Documents\الدولة العثمانية.doc
[2006/10/08 20:24:46 | 000,023,040 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\?????? ?????????.doc) -- C:\Documents and Settings\USER\My Documents\الدولة العثمانية.doc
[2006/04/25 14:33:52 | 000,025,600 | ---- | M] ()(C:\???? ?? 11 ??????? ????.doc) -- C:\ילדה בת 11 מאושפזת בביה.doc
[2006/04/25 14:33:51 | 000,025,600 | ---- | C] ()(C:\???? ?? 11 ??????? ????.doc) -- C:\ילדה בת 11 מאושפזת בביה.doc
[2006/02/19 01:16:44 | 000,089,088 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ??????.doc) -- C:\Documents and Settings\USER\My Documents\מסעדת הכדרים.doc
[2006/02/18 18:37:40 | 000,089,088 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ??????.doc) -- C:\Documents and Settings\USER\My Documents\מסעדת הכדרים.doc
[2003/06/30 04:52:04 | 000,045,056 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ??? ?????.doc) -- C:\Documents and Settings\USER\My Documents\תצהיר משה אטיאס.doc
[2003/06/30 02:03:56 | 000,045,056 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ??? ?????.doc) -- C:\Documents and Settings\USER\My Documents\תצהיר משה אטיאס.doc
[2003/06/24 03:07:18 | 000,000,162 | -H-- | M] ()(C:\Documents and Settings\USER\My Documents\~$??? ?? ????? ?????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\~$ارب عن موضوع انكسار الضوء.doc
[2003/06/24 03:07:17 | 000,000,162 | -H-- | C] ()(C:\Documents and Settings\USER\My Documents\~$??? ?? ????? ?????? ?????.doc) -- C:\Documents and Settings\USER\My Documents\~$ارب عن موضوع انكسار الضوء.doc
[2003/06/24 03:04:28 | 000,000,162 | -H-- | M] ()(C:\Documents and Settings\USER\My Documents\~$??? ??????.doc) -- C:\Documents and Settings\USER\My Documents\~$وية السقوط.doc
[2003/06/24 03:04:26 | 000,000,162 | -H-- | C] ()(C:\Documents and Settings\USER\My Documents\~$??? ??????.doc) -- C:\Documents and Settings\USER\My Documents\~$وية السقوط.doc
[2003/06/18 00:20:40 | 000,033,280 | ---- | M] ()(C:\Documents and Settings\USER\My Documents\????? ?? ????.doc) -- C:\Documents and Settings\USER\My Documents\פגישה עם לסרי.doc
[2003/06/17 20:22:51 | 000,033,280 | ---- | C] ()(C:\Documents and Settings\USER\My Documents\????? ?? ????.doc) -- C:\Documents and Settings\USER\My Documents\פגישה עם לסרי.doc
< End of report >

------------------------------------------------------------------------------------------------------------------------

Extras.Txt:

OTL Extras logfile created on: 9/17/2010 12:21:40 PM - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\USER\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: ארצות הברית | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 108.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): c:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.07 Gb Total Space | 2.26 Gb Free Space | 5.79% Space Free | Partition Type: FAT32
Drive D: | 35.44 Gb Total Space | 6.82 Gb Free Space | 19.25% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VICTOR
Current User Name: USER
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:*:Enabled:SMB over TCP
"137:UDP" = 137:UDP:*:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:*:Enabled:NetBIOS Datagram Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:LocalSubNet:Enabled:SMB over TCP
"137:UDP" = 137:UDP:LocalSubNet:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:LocalSubNet:Enabled:NetBIOS Datagram Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:SSDP
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:UPnP framework over TCP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MicroStar\WLANUtility\APUtility.exe" = C:\Program Files\MicroStar\WLANUtility\APUtility.exe:*:Enabled:APUtility Configs AP -- ()
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found
"C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" = C:\Program Files\Kazaa Lite K++\KazaaLite.kpp:*:Enabled:KazaaLite -- File not found
"C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE" = C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE:*:Enabled:Microsoft PowerPoint -- (Microsoft Corporation)
"C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Enabled:eMule -- File not found
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares -- File not found
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Documents and Settings\All Users\Desktop\TVAnts\Tvants.exe" = C:\Documents and Settings\All Users\Desktop\TVAnts\Tvants.exe:*:Enabled:TVAnts -- File not found
"C:\Documents and Settings\USER\Desktop\Tvants.exe" = C:\Documents and Settings\USER\Desktop\Tvants.exe:*:Enabled:TVAnts -- File not found
"C:\Program Files\TVU Player\TVUPlayer.exe" = C:\Program Files\TVU Player\TVUPlayer.exe:*:Enabled:TVUPlayer -- File not found
"C:\Documents and Settings\USER\Desktop\LimeWire\LimeWire.exe" = C:\Documents and Settings\USER\Desktop\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- File not found
"C:\Documents and Settings\USER\My Documents\matthias\ICQLite\ICQLite.exe" = C:\Documents and Settings\USER\My Documents\matthias\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\ICQ6.5\ICQ.exe" = C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
"C:\WINDOWS\Downloaded Program Files\PurpleBean.exe" = C:\WINDOWS\Downloaded Program Files\PurpleBean.exe:*:Enabled:PurpleBean.exe -- ()
"C:\WINDOWS\System32\dpvsetup.exe" = C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\ijji\ijji REACTOR\ijjiOptimizer.exe" = C:\Program Files\ijji\ijji REACTOR\ijjiOptimizer.exe:*:Enabled:ijjiOptimizer.exe -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01161F64-6897-4885-93A0-A9F7BE9A4253}" = hp psc 1100 series
"{117CD9C0-0F15-4633-93D7-F957B50535A5}" = Popup Blocker (Windows Live Toolbar)
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1707BF02-0F5C-4A6C-8F17-053BB73E443F}" = Tabbed Browsing (Windows Live Toolbar)
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 20
"{2727FBEF-3155-11D4-8F73-0050DA0F6297}" = The Sims Livin' Large
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{5A2C3439-8365-4A89-B118-10D18EB6EC28}" = SPSS SmartViewer 12.0
"{5EF2B896-B1C1-46E8-83AD-4F940B7A5982}" = MathGV 4
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{661DD059-B422-4AA0-9BF3-85629F39B25B}" = Copydaf Printer
"{67A339E5-D8AA-4E88-9278-A571B397F798}" = Babylon Toolbar
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{735BFEEC-D330-496A-85B2-DF1B56BF2BB0}_is1" = Driver Fetch
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85E5C804-7DD5-4CEA-9724-E1DAA21FC615}" = 3D Virtual Cube
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{9011040D-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{901E040D-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Hebrew User Interface Pack
"{902C0D79-8D7F-4956-9DCB-A223D5BF55B3}" = IEEE802.11a/b/g Wireless LAN Software
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9E4A9772-6BE4-40B1-B759-F790840AB5DE}" = SPSS Data Access Pack for Windows
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A40D6757-B145-4FE7-B694-89180A9F3F64}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B3B77C66-1553-4FFE-B044-53B179FBE0B6}" = SPSS 12.0 for Windows
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F5AF5CDA-76FC-4794-9F28-09B6D54E7431}" = Form Fill (Windows Live Toolbar)
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"3ivx D4 4.5.1" = 3ivx D4 4.5.1 (remove only)
"4shared.com Toolbar" = 4shared.com Toolbar
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"avast5" = avast! Free Antivirus
"Babylon" = Babylon
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"CentraClient" = Centra Client
"C-Media Audio" = C-Media 3D Audio
"CSCLIB" = Canon Camera Support Core Library
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DSMT5" = MathType 5
"Electronics_Workbench_V5" = Electronics Workbench V5.12
"EOS Utility" = Canon Utilities EOS Utility
"EZface ActiveX" = EZface ActiveX 204
"Google Updater" = Google Updater
"GSview 4.6" = GSview 4.6
"HijackThis" = HijackThis 1.99.1
"HP PSC 1100 Series" = HP Photo and Imaging 2.0 - hp psc 1100 series
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matlab 6.5" = MATLAB 6.5
"MAX+plus II 10.2 BASELINE" = MAX+plus II 10.2 BASELINE
"MicroSimDeinstKey" = MicroSim EVAL 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NSS" = Norton Security Scan
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"Registry Mechanic_is1" = Registry Mechanic 9.0
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Sibelius Scorch Plugin_is1" = Sibelius Scorch Plugin 5.2.5.30
"SiS Compatible VGA V2.12" = SiS Compatible VGA V2.12
"SystemRequirementsLab" = System Requirements Lab
"TablEdit_is1" = TablEdit 2.65
"TVAnts 1.0" = TVAnts 1.0
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"VLC media player" = VLC media player 0.9.4
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = .NET Runtime | ID = 1024
Description = Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
doesn't have a matching runtime directory

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 25007.Error
occurred while initializing fusion. Setup could not load fusion with LoadLibraryShim().
Error: 0x80131700

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = .NET Runtime | ID = 1024
Description = Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
doesn't have a matching runtime directory

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 25007.Error
occurred while initializing fusion. Setup could not load fusion with LoadLibraryShim().
Error: 0x80131700

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = .NET Runtime | ID = 1024
Description = Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
doesn't have a matching runtime directory

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 25007.Error
occurred while initializing fusion. Setup could not load fusion with LoadLibraryShim().
Error: 0x80131700

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = .NET Runtime | ID = 1024
Description = Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
doesn't have a matching runtime directory

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 25007.Error
occurred while initializing fusion. Setup could not load fusion with LoadLibraryShim().
Error: 0x80131700

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = .NET Runtime | ID = 1024
Description = Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
doesn't have a matching runtime directory

Error - 9/15/2010 9:03:53 PM | Computer Name = VICTOR | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 25007.Error
occurred while initializing fusion. Setup could not load fusion with LoadLibraryShim().
Error: 0x80131700

[ System Events ]
Error - 9/17/2010 5:50:00 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7000
Description = The Bonjour Service service failed to start due to the following error:
%%3

Error - 9/17/2010 5:50:00 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the MSI_WLAN_Service service
to connect.

Error - 9/17/2010 5:50:00 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7000
Description = The MSI_WLAN_Service service failed to start due to the following
error: %%1053

Error - 9/17/2010 5:51:24 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL sptd

Error - 9/17/2010 6:17:01 AM | Computer Name = VICTOR | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 9/17/2010 6:17:01 AM | Computer Name = VICTOR | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 9/17/2010 6:18:12 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7000
Description = The Bonjour Service service failed to start due to the following error:
%%3

Error - 9/17/2010 6:18:12 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the MSI_WLAN_Service service
to connect.

Error - 9/17/2010 6:18:12 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7000
Description = The MSI_WLAN_Service service failed to start due to the following
error: %%1053

Error - 9/17/2010 6:18:14 AM | Computer Name = VICTOR | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde SASKUTIL sptd


< End of report >


#4 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 05:37 AM


By the way, the homepage appears fine now - it doesn't go to www.6700.cn !
I'm not sure if that's saying anything though, I've had it happen before that the problem goes away only for a short amount of time.. is there anything else one should do?

Thanks again for your time!

#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 17 September 2010 - 06:10 AM

Hi samatar,



Please uninstall outdated java (J2SE Runtime Environment 5.0 Update 4 and Java™ 6 Update 3) via Add/Remove Progrmas, Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the Update tab, click on Update Now buttons. When done, press Apply and OK the button. Then clear your java cache as instructed in this thread .



Step1
  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    CODE
    :OTL
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.6700.cn?tn=102733
    IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\URLSearchHook: - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-1390067357-839522115-1957994488-1004\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {589E405E-6C09-4341-862A-FFFEBD5C3C8C} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {26E71720-56EE-4656-B61D-FA7C89CD8DCD} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {26E71720-56EE-4656-B61D-FA7C89CD8DCD} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKU\.DEFAULT..\RunOnce: [ShowDeskFix] File not found
    O4 - HKU\S-1-5-18..\RunOnce: [ShowDeskFix] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O20 - AppInit_DLLs: (biroas.dll) - File not found
    O20 - AppInit_DLLs: (lensch.dll) - File not found
    O20 - AppInit_DLLs: (thermnc.dll) - File not found
    O33 - MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
    O33 - MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
    O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell - "" = AutoRun
    O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell\Auto\command - "" = G:\auto.exe -- File not found
    O33 - MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell - "" = AutoRun
    O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell - "" = AutoRun
    O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell\Auto\command - "" = G:\auto.exe -- File not found
    O33 - MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\Shell\AutoRun - "" = Auto&Play

    :Files
    C:\WINDOWS\system32\14D3x2.dll
    C:\WINDOWS\system32\drivers\oknjd.sys

    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
  7. Wait for the scan to finish
  8. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  9. Copy and paste that log as a reply to this topic.



Please post back the logs in your next reply.


1.OTL delete log
2.Eset Online Scan Report

Let me know if you have any remaining issues on your pc.

#6 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 07:54 AM


Thanks again for the help!

OTL:
During the fix several windows error messages appeared, all pertaining to "File or directory X is corrupt and unreadable. Please run the Chkdsk utility"
with X once being
\Documents and Settings\Local Settings\Temp\~DF4BE0.tmp
and several times being
\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\WPGL3QD0\p_578055364=6[6].txt
to which I could only click OK.

At any rate here's the OTL log:

All processes killed
========== OTL ==========
Unable to set value : HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Unable to set value : HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Unable to set value : HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E!
Registry value HKEY_USERS\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{589E405E-6C09-4341-862A-FFFEBD5C3C8C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589E405E-6C09-4341-862A-FFFEBD5C3C8C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{26E71720-56EE-4656-B61D-FA7C89CD8DCD} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E71720-56EE-4656-B61D-FA7C89CD8DCD}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{26E71720-56EE-4656-B61D-FA7C89CD8DCD} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E71720-56EE-4656-B61D-FA7C89CD8DCD}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ShowDeskFix deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ShowDeskFix not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:biroas.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:lensch.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:thermnc.dll deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84faf0c2-a920-11dd-bd32-0015f2bbdae5}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
File G:\auto.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255326-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8255327-96dc-11dd-bcf8-0015f2bbdae5}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ not found.
File G:\auto.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f371c5fd-3f87-11dd-bc3a-0015f2bbdae5}\ not found.
========== FILES ==========
File move failed. C:\WINDOWS\system32\14D3x2.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\oknjd.sys scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6674049 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 9454093 bytes

User: USER
->Temp folder emptied: 177338767 bytes
->Temporary Internet Files folder emptied: 347925559 bytes
->Java cache emptied: 1 bytes
->Flash cache emptied: 12336 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 5385239 bytes
%systemroot%\System32 .tmp files removed: 3275793 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2084304 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 187735252 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 789563 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 706.00 mb


[EMPTYFLASH]

User: Default User
->Flash cache emptied: 0 bytes

User: All Users

User: NetworkService

User: LocalService

User: USER
->Flash cache emptied: 0 bytes

User: Administrator

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09172010_132258

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\14D3x2.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\oknjd.sys scheduled to be moved on reboot.
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBD86.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBD91.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBDE9.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBDF4.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBE27.tmp not found!
File\Folder C:\Documents and Settings\USER\Local Settings\Temp\~DFBE32.tmp not found!
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\3D75P3F9\topic347793[1].htm moved successfully.
C:\Documents and Settings\USER\Local Settings\Temporary Internet Files\Content.IE5\WPGL3QD0\iframe[1].htm moved successfully.

Registry entries deleted on Reboot...


-----------------------------------------------------------------------------------------------------------------------

Now as to the ESET, it found 10 threats, and quarantined them apparently. However I did not ask it to delete the quarantined files upon finishing (I understand it is something which can be done later on?)

Here's the log :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2c16d17258c2244c9b7b21dfc86ebc92
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-17 12:41:19
# local_time=2010-09-17 02:41:19 (+0200, Jerusalem Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777175 100 0 60550315 60550315 0 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 3847 3847 0 0
# scanned=221369
# found=10
# cleaned=10
# scan_time=3759
C:\WINDOWS\icpb.dll a variant of Win32/Agent.NXB trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\14D3x2.dll a variant of Win32/Agent.OCX trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\oknjd.sys a variant of Win32/Agent.ODM trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\USER\Local Settings\Temp\NOD47.tmp a variant of Win32/Agent.NXB trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Program Files\HiJackThis\backups\backup-20070922-225535-426.dll a variant of Win32/Adware.Comet.AC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8DB10660-345B-4C18-801C-8D18FCACF49A}\RP573\A0115475.dll a variant of Win32/Agent.NXB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{8DB10660-345B-4C18-801C-8D18FCACF49A}\RP573\A0115476.dll a variant of Win32/Adware.Comet.AC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\SDFix\backups\backups.zip Win32/PSW.OnLineGames.VPI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\FOUND.010\FILE0003.CHK a variant of Win32/Adware.Cinmus application (deleted - quarantined) 00000000000000000000000000000000 C
D:\Software\matlab r2006b\matlab_kg.exe probably a variant of Win32/Agent.HLUMUQB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Should I take any more steps?

Well, the PC has many issues, unfortunately. It's not mine, it's my brother's - the kind of person who clicks 'OK' to everything and 'Next -> Next -> Next -> Next -> Finish' when installing anything. But I can't really point out anything in particular that's not functional (beside the hijacked homepage). Hopefully with what you've told me to do , things will run much smoother. Thanks!

#7 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 08:07 AM

Well, I have just restarted my pc, and when I opened IE8, the homepage was again www.6700.cn .. it had also changed in the Tools -> Internet Options. I changed it to google.com ..

Edit: In fact, the problem reappears whenever I restart..

Edited by samatar, 17 September 2010 - 08:13 AM.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 17 September 2010 - 08:27 AM

Hi samatar,


Step1

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons /sub
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace /sub
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command /sub
    HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} /sub
    HKEY_CLASSES_ROOT\http\shell\open\command /sub
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes /sub
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes /sub

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.SystemLook.txt
2.ComboFix log Thanks



#9 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 11:10 AM


Hello again, here are the results:

SystemLook.txt :

SystemLook 04.09.10 by jpshortstuff
Log created at 17:35 on 17/09/2010 by USER
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"= 0x0000000001 (1)
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"= 0x0000000001 (1)
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"= 0x0000000001 (1)
"{871C5380-42A0-1069-A2EA-08002B30309D}"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00020D75-0000-0000-C000-000000000046}]
@=""
"Removal Message"="סמל Outlook בשולחן העבודה מספק פונקציונליות מיוחדת ומומלץ שלא להסיר אותו."

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}]
@="IE History and Feeds Shell Data Source for Windows Search"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
@="Computer Search Results Folder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}]
@=""
"Removal Message"="@mydocs.dll,-900"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
@="Search Results Folder"


[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\Program Files\Internet Explorer\iexplore.exe"


[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}]
"InfoTip"="@C:\WINDOWS\system32\ieframe.dll.mui,-881"
"LocalizedString"="@C:\WINDOWS\system32\ieframe.dll.mui,-880"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon]
@="C:\WINDOWS\system32\ieframe.dll,-190"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32]
@="C:\WINDOWS\system32\ieframe.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell]
@="OpenHomePage"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns]
@="Start Without Add-ons"
"LegacyDisable"=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command]
@=""C:\Program Files\Internet Explorer\iexplore.exe" -extoff"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage]
@="Open &Home Page"
"MUIVerb"="@shdoclc.dll,-10241"
"LegacyDisable"=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@=""C:\Program Files\Internet Explorer\iexplore.exe""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex]
(No values found)

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers]
(No values found)

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe]
@="{871C5380-42A0-1069-A2EA-08002B30309D}"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\MayChangeDefaultMenu]
@=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder]
"Attributes"= 0x0000000024 (36)
"HideFolderVerbs"=""
"WantsParseDisplayName"=""
"HideOnDesktopPerUser"=""
@="C:\WINDOWS\system32\ieframe.dll,-190"
"HideAsDeletePerUser"=""


[HKEY_CLASSES_ROOT\http\shell\open\command]
@=""C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome"


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"Version"= 0x0000000002 (2)
"DownloadUpdates"= 0x0000000001 (1)
"UpgradeTime"=f0 a4 1e 5b 90 0c cb 01 (REG_BINARY)
"DefaultScope"="{AC655E01-E98D-4658-B920-C9BB6C4F9753}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"DisplayName"="Bing"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AAF5579-09FC-45EB-8C64-9195857F3FC1}]
"DisplayName"="Bing"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{5AAF5579-09FC-45EB-8C64-9195857F3FC1}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}]
"URL"="http://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd"
"DisplayName"="ICQ Search"
"FaviconURL"="http://c.icq.com/favicon.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}\Non-Matches]
"http://c.icq.com/search/icqosd.xml"=00 1c 99 52 1e d0 c6 01 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{6A1806CD-94D4-4689-BA73-E35EA1EA9990}.ico"
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AC655E01-E98D-4658-B920-C9BB6C4F9753}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GPEA_enIL299"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"= 0x0000000001 (1)
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{AC655E01-E98D-4658-B920-C9BB6C4F9753}.ico"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@="Live Search"
"DisplayName"="@ieframe.dll,-12512"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"= 0x0000000001 (1)
"SortIndex"= 0x0000000000 (0)


-= EOF =-

------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Combofix log:

ComboFix 10-09-16.07 - USER 09/17/2010 17:55:31.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.190 [GMT 2:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\All Users\Application Data\microsoft\office\system
c:\documents and settings\All Users\Application Data\microsoft\office\userdata
c:\documents and settings\All Users\Application Data\microsoft\office\userdata\_keepfile
c:\documents and settings\All Users\hsyhdf16.ini
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
C:\Internet Explorer.lnk
c:\program files\Common Files\Real\visualizations\real_vis_yqllyrics.rpv
c:\program files\Internet Explorer\V3s1Nt64.Jmp
c:\program files\Windows NT\system\htrn_jis.dll
C:\Thumbs.db
c:\windows\daemon.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\MsWino.dat
c:\windows\sebs
c:\windows\system32\10.ext
c:\windows\system32\11.ext
c:\windows\system32\12.ext
c:\windows\system32\13.ext
c:\windows\System32\14D3x2.dll
c:\windows\system32\22D75360.cfg
c:\windows\system32\3474A8C2.cfg
c:\windows\system32\43ACDCC5.cfg
c:\windows\system32\4D023DE9.cfg
c:\windows\system32\7ADC2AB1.cfg
c:\windows\system32\82710040.cfg
c:\windows\system32\8566F82E.cfg
c:\windows\system32\9.ext
c:\windows\system32\com\1.1.6
c:\windows\system32\Com\Config.cfg
c:\windows\system32\comarshal.dat
c:\windows\system32\comspring.dat
c:\windows\system32\config.txt
c:\windows\system32\config\PlugsList.dat
c:\windows\system32\DA63E650.cfg
c:\windows\system32\DE02F764.cfg
c:\windows\system32\discard.ini
c:\windows\system32\down.txt
c:\windows\System32\DRIVERS\oknjd.sys
c:\windows\system32\inf
c:\windows\system32\powerwordlite.33626.813381.exe
c:\windows\system32\powerwordlite.33626.813524.exe
c:\windows\system32\powerwordlite.33626.813792.exe
c:\windows\system32\powerwordlite.33626.813794.exe
c:\windows\system32\ppstreamsetup_51cpm@405.exe
c:\windows\system32\ppstreamsetup_51cpm@439.exe
c:\windows\system32\ppstreamsetup_51cpm@440.exe
c:\windows\system32\ppstreamsetup_51cpm@494.exe
c:\windows\system32\srpcss.dll
c:\windows\system32\sufost.ini
c:\windows\system32\systemInfomations.ini
c:\windows\system32\Thumbs.db
c:\windows\system32\tmplljydf0.exe
c:\windows\system32\windows.txt
c:\windows\system32\wl.exe
c:\windows\UP
c:\windows\vv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_4901228
-------\Legacy_ACPIDISK
-------\Legacy_HBKERNEL32
-------\Legacy_MSDCOM
-------\Legacy_NETWORK_SERVICES
-------\Legacy_PROTECTEDSTORI
-------\Legacy_RESSDT
-------\Legacy_WBWIN
-------\Legacy_WMPOBJ
-------\Legacy_oknjd
-------\Service_oknjd


((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 13:15 . 2010-09-17 13:15 -------- d-----w- C:\FOUND.007
2010-09-17 11:34 . 2010-09-17 11:34 -------- d-----w- c:\program files\ESET
2010-09-17 11:22 . 2010-09-17 11:23 -------- d-----w- C:\_OTL
2010-09-17 11:18 . 2010-09-17 11:18 -------- d-----w- c:\program files\Common Files\Java
2010-09-17 10:03 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 10:03 . 2010-09-17 10:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 10:03 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 10:09 . 2010-09-15 10:09 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\PCHealth
2010-09-14 22:32 . 2010-09-14 22:32 -------- d-----w- C:\FOUND.006
2010-09-13 23:48 . 2010-09-13 23:48 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-09-11 11:58 . 2010-09-11 11:58 -------- d-----w- C:\FOUND.005
2010-09-08 16:59 . 2010-09-08 16:59 -------- d-----w- C:\FOUND.004
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-29 10:36 . 2010-08-29 10:36 -------- d-----w- C:\FOUND.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:19 . 2010-08-06 13:19 503808 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcp71.dll
2010-08-06 13:19 . 2010-08-06 13:19 499712 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\jmc.dll
2010-08-06 13:19 . 2010-08-06 13:19 348160 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcr71.dll
2010-08-06 13:19 . 2010-08-06 13:19 61440 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-sse.dll
2010-08-06 13:19 . 2010-08-06 13:19 12800 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-d3d.dll
2010-07-17 03:00 . 2010-06-15 14:20 423656 ----a-w- c:\windows\system32\deployJava1.dll
2007-06-15 23:01 . 2007-06-15 23:01 8 --sh--r- c:\windows\ab3cgtm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-28 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2004-07-29 2052173]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2007-09-20 61952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7-10"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2004-07-29 13:04 2052173 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2007-09-20 09:33 61952 ----a-w- c:\windows\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 08:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 21:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2005-03-11 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"CCALib8"=2 (0x2)
"560C3A5D"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MicroStar\\WLANUtility\\APUtility.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [1/14/2008 6:31 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [1/14/2008 6:31 PM 5248]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/18/2010 10:29 PM 632792]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/26/2006 1:46 PM 611064]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 IPRIP;IPRIP;c:\windows\System32\svchost.exe -k netsvcs [8/3/2004 11:56 PM 14336]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]
S3 bleepALLGUARD;bleepALLGUARD;\??\c:\001630aa\001630B2 --> c:\001630aa\001630B2 [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 560C3A5D;560C3A5D;c:\windows\Fonts\BF979708.EXE -k --> c:\windows\Fonts\BF979708.EXE -k [?]
.
Contents of the 'Scheduled Tasks' folder

2006-01-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1100 series5E771253C1676EBED677BF361FDFC537825E15B8057004624.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2010-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 14:18]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-15 c:\windows\Tasks\Norton Security Scan for USER.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-28 04:32]

2010-09-15 c:\windows\Tasks\RMSchedule_219.job
- c:\program files\Registry Mechanic\Launcher.exe [2010-06-18 07:14]

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = www.6700.cn?tn=102733
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?e50b0d39614d4839b3b204b095624854
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?e50b0d39614d4839b3b204b095624854
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\windows\system32\mapi32.dll
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://centrasrv.cet.ac.il/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {22055A00-27C0-438B-BF53-44E973A4C48A} - hxxp://thesecret.tv/movie/player/vivid_ocx.jpeg
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
MSConfigStartUp-360 - c:\windows\360safe.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-ICQ Lite - c:\documents and settings\USER\My Documents\matthias\ICQLite\ICQLite.exe
MSConfigStartUp-QQfaces - C:\PlayrKM.exe
MSConfigStartUp-SoundMan - SoundMan.exe
MSConfigStartUp-SoundMAX - c:\program files\Analog Devices\SoundMAX\Smax4.exe
MSConfigStartUp-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
MSConfigStartUp-UUcallo - c:\woKuto.exe
AddRemove-Microsoft .NET Framework 3.5 SP1 - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 18:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85099AD8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf779ef10
\Driver\ACPI -> ACPI.sys @ 0xf7711cb8
\Driver\atapi -> 0x85099ad8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf74fbba0
PacketIndicateHandler -> NDIS.sys @ 0xf7508b21
SendHandler -> NDIS.sys @ 0xf74e687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\bleepALLGUARD]
"ImagePath"="\??\c:\001630aa\001630B2"

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(848)
c:\windows\system32\WININET.dll
c:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
d:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\matlab6p5\bin\win32\matlab.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-17 18:07:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-17 16:07

Pre-Run: 3,031,531,520 bytes free
Post-Run: 2,880,831,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 1AE26A2735A83335A35B6692427CE6A1


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 17 September 2010 - 01:52 PM

Hi samatar,



Step1
  1. Download TDSSKiller and save it to your Desktop.
  2. Extract its contents to your desktop.
  3. Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  4. If an infected file is detected, the default action will be Cure, click on Continue.
  5. If a suspicious file is detected, the default action will be Skip, click on Continue.
  6. It may ask you to reboot the computer to complete the process. Click on Reboot Now
  7. If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  8. If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
File::
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\windows\ab3cgtm.dll
C:\WINDOWS\icpb.dll
C:\WINDOWS\system32\14D3x2.dll

Driver::
IPRIP
bleepALLGUARD
560C3A5D

DDS::
uStart Page = www.6700.cn?tn=102733
uInternet Connection Wizard,ShellNext = iexplore

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00020D75-0000-0000-C000-000000000046}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step3

Now, please delete any shortcut icon of IE or FF and including the IE icon in quick launch toolbar on your desktop. If you have problem to delete that fake icon, then please do the following:

1.Right click on the desktop and select properties
2.On desktop tab click Customize Desktop
3.On general tab, click Clean Desktop Now icon
4.Desktop clean up wizard will prompt, select the fake IE icon, follow the prompt and Exit the Wizard.

Note: If a folder called Unused Desktop Icons created on the desktop with the fake IE icon in it. Delete this folder and press F5 to flush the desktop.
Please navigate to C:\Program Files\Internet Explorer folder, right click the iexplore icon send to Desktop(create shortcut). and do the same with Mozilla Firefox folder.
After that, you can change your homepage as it should be.


Go to Start>Run>type cmd, A window will come up. In the window, Type chkdsk c: /F

System will have message saying:Chkdsk cannot run because the volume is in use by another process.Would you like to schedule this volume to be checked the next time the system restarts?(y/n)

Type Y. Reboot the system. It will make repairs when it reboots. After that, Please repeat with the following command-->chkdsk c: /R



In your next reply, please post back:

1.TDSSKiller log
2.ComboFix log
3.New SystemLook.txt

Let me know if you have any remaining issues on your pc.

#11 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 September 2010 - 05:13 PM


Okay did what you told me to, and looks fine so far! Thanks!

Here are all the logs:

TDSSKiller: didn't find anything

2010/09/17 20:58:07.0859 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/17 20:58:07.0859 ================================================================================
2010/09/17 20:58:07.0859 SystemInfo:
2010/09/17 20:58:07.0859
2010/09/17 20:58:07.0859 OS Version: 5.1.2600 ServicePack: 2.0
2010/09/17 20:58:07.0859 Product type: Workstation
2010/09/17 20:58:07.0859 ComputerName: VICTOR
2010/09/17 20:58:07.0859 UserName: USER
2010/09/17 20:58:07.0859 Windows directory: C:\WINDOWS
2010/09/17 20:58:07.0859 System windows directory: C:\WINDOWS
2010/09/17 20:58:07.0859 Processor architecture: Intel x86
2010/09/17 20:58:07.0859 Number of processors: 2
2010/09/17 20:58:07.0859 Page size: 0x1000
2010/09/17 20:58:07.0859 Boot type: Normal boot
2010/09/17 20:58:07.0859 ================================================================================
2010/09/17 20:58:08.0625 Initialize success
2010/09/17 20:58:46.0906 ================================================================================
2010/09/17 20:58:46.0906 Scan started
2010/09/17 20:58:46.0906 Mode: Manual;
2010/09/17 20:58:46.0906 ================================================================================
2010/09/17 20:58:49.0015 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/17 20:58:49.0093 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/17 20:58:49.0765 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/09/17 20:58:49.0890 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
2010/09/17 20:58:50.0078 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2010/09/17 20:58:50.0906 AmdK7 (680ad1c1bb16239e28d8f33a54a7a3c7) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/09/17 20:58:51.0796 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/17 20:58:51.0890 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/17 20:58:52.0187 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/17 20:58:52.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/17 20:58:52.0375 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/17 20:58:52.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/17 20:58:52.0765 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/17 20:58:52.0890 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/17 20:58:52.0984 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/17 20:58:53.0468 cmuda (997f912324b3bb977af2df376e5508ce) C:\WINDOWS\system32\drivers\cmuda.sys
2010/09/17 20:58:53.0703 d347bus (5776322f93cdb91086111f5ffbfda2a0) C:\WINDOWS\system32\DRIVERS\d347bus.sys
2010/09/17 20:58:53.0734 d347prt (b49f79ace459763f4e0380071be9cb45) C:\WINDOWS\system32\Drivers\d347prt.sys
2010/09/17 20:58:54.0156 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/17 20:58:54.0328 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/17 20:58:54.0453 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/09/17 20:58:54.0500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/17 20:58:54.0671 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/17 20:58:54.0937 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/17 20:58:55.0156 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/17 20:58:55.0265 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/17 20:58:55.0421 FETND5BV (7d53d569892b46738e87f39c9aa8488a) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2010/09/17 20:58:55.0640 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/17 20:58:55.0750 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/17 20:58:55.0921 FltMgr (6cc5181f718820861eeadae38f764b75) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/09/17 20:58:56.0093 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/09/17 20:58:56.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/17 20:58:56.0218 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/17 20:58:56.0437 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/09/17 20:58:56.0500 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/09/17 20:58:56.0593 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/17 20:58:56.0656 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/09/17 20:58:56.0812 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/17 20:58:56.0937 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/17 20:58:57.0234 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/09/17 20:58:57.0359 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/09/17 20:58:57.0484 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/09/17 20:58:57.0578 HTTP (261bf53e1d1c21f04b4e748a6ed3d055) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/17 20:58:58.0015 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/17 20:58:58.0125 Imapi (12c59b8929121ace2f55acc86682cf12) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/17 20:58:58.0593 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/17 20:58:58.0734 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/09/17 20:58:58.0828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/17 20:58:58.0953 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/17 20:58:59.0078 IpNat (472c75f85e631f8aa87d21c9fee6238d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/17 20:58:59.0187 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/17 20:58:59.0343 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/17 20:58:59.0406 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/17 20:58:59.0531 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/17 20:58:59.0656 kmixer (8531438246ce9474e41ee1599904c0c7) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/17 20:58:59.0750 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/17 20:59:00.0093 M2500 (a084c8846531bc12f6d44843c6fb48d8) C:\WINDOWS\system32\DRIVERS\M2500.sys
2010/09/17 20:59:00.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/17 20:59:00.0343 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/17 20:59:00.0453 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/17 20:59:00.0562 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/17 20:59:00.0734 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/17 20:59:00.0828 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/17 20:59:01.0125 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/17 20:59:01.0203 MRxSmb (3500e756812e716351f2d341ae1d5623) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/17 20:59:01.0343 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/17 20:59:01.0484 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/17 20:59:01.0625 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/17 20:59:01.0734 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/17 20:59:01.0890 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/17 20:59:02.0000 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2010/09/17 20:59:02.0171 Mtlmnt5 (c53775780148884ac87c455489a0c070) C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
2010/09/17 20:59:02.0390 Mtlstrm (54886a652bf5685192141df304e923fd) C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
2010/09/17 20:59:02.0625 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/09/17 20:59:02.0718 Mup (79a9c030299e8cc04f18d0765155d902) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/17 20:59:02.0812 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/17 20:59:02.0859 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/17 20:59:02.0984 Ndisuio (77d9bf86b912104c229d4f0d25be3c12) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/17 20:59:03.0078 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/17 20:59:03.0125 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/17 20:59:03.0218 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/17 20:59:03.0312 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/17 20:59:03.0453 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/17 20:59:04.0218 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
2010/09/17 20:59:04.0421 Ntfs (7179ac3f4258aec9627590a842fda1d6) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/17 20:59:04.0640 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
2010/09/17 20:59:04.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/17 20:59:04.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/17 20:59:04.0875 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/17 20:59:04.0937 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/09/17 20:59:04.0984 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/09/17 20:59:05.0046 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/09/17 20:59:05.0171 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/17 20:59:05.0203 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/17 20:59:05.0281 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/17 20:59:06.0250 PCANDIS5 (ceef86cb35abe95c40a88784f5b631ad) C:\WINDOWS\system32\PCANDIS5.SYS
2010/09/17 20:59:06.0375 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/17 20:59:06.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/17 20:59:07.0031 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/17 20:59:08.0187 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/17 20:59:08.0281 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/17 20:59:08.0328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/17 20:59:08.0484 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/17 20:59:09.0375 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/17 20:59:09.0468 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/17 20:59:09.0562 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/17 20:59:09.0609 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/17 20:59:09.0718 Rdbss (b48441a6dc703ee4c36db14ee51a189c) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/17 20:59:09.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/17 20:59:09.0921 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/17 20:59:10.0093 RDPWD (047bea21274c8a4a233674a76c958c2c) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/17 20:59:10.0265 RecAgent (e9aaa0092d74a9d371659c4c38882e12) C:\WINDOWS\system32\DRIVERS\RecAgent.sys
2010/09/17 20:59:10.0421 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/17 20:59:10.0609 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2010/09/17 20:59:10.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/17 20:59:11.0218 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/17 20:59:11.0312 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/17 20:59:11.0437 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/17 20:59:11.0750 SiS315 (43f0354990c688faba2cc5019d41d85d) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2010/09/17 20:59:11.0875 SiSkp (bd114d3fe3352d1807f911369635a3fe) C:\WINDOWS\system32\drivers\srvkp.sys
2010/09/17 20:59:11.0984 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2010/09/17 20:59:12.0171 Slntamr (2c1779c0feb1f4a6033600305eba623a) C:\WINDOWS\system32\DRIVERS\slntamr.sys
2010/09/17 20:59:12.0375 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) C:\WINDOWS\system32\DRIVERS\Slnthal.sys
2010/09/17 20:59:12.0546 SlWdmSup (db56bb2c55723815cf549d7fc50cfceb) C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
2010/09/17 20:59:12.0906 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/17 20:59:13.0078 sptd (090adc3d9b5730ac3b20bdd5a54e2d28) C:\WINDOWS\system32\Drivers\sptd.sys
2010/09/17 20:59:13.0265 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/17 20:59:13.0390 Srv (d4af9861c3b6a2163d26dc6b9cf05e2a) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/17 20:59:13.0515 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/17 20:59:13.0593 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/17 20:59:14.0359 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/17 20:59:14.0531 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/17 20:59:14.0718 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/17 20:59:14.0875 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/17 20:59:15.0031 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/17 20:59:15.0406 uagp35 (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/09/17 20:59:15.0562 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/17 20:59:15.0812 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/17 20:59:16.0000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/17 20:59:16.0109 usbehci (35e69410d5a2f1de386b37f4fc17aeb7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/17 20:59:16.0171 usbhub (db53e336c44cb0975d7dcb35bac0ecda) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/17 20:59:16.0312 usbohci (981b6e325290ba318653f58bd7f217c2) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/17 20:59:16.0500 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/17 20:59:16.0671 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/17 20:59:16.0828 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/17 20:59:16.0937 usbuhci (b3671fbc569afe9390175561f1ab335c) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/17 20:59:17.0031 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/09/17 20:59:17.0203 viagfx (7eeaa347d9731390775ed0a34917c751) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/09/17 20:59:17.0296 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/17 20:59:17.0375 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/17 20:59:17.0515 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/17 20:59:17.0796 wdmaud (0bfa8203b8148fb4e54bc212c41ce497) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/17 20:59:17.0984 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/09/17 20:59:18.0062 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/17 20:59:18.0093 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/17 20:59:18.0203 ================================================================================
2010/09/17 20:59:18.0203 Scan finished
2010/09/17 20:59:18.0203 ================================================================================
2010/09/17 21:00:59.0296 Deinitialize success


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------


Combofix:

ComboFix 10-09-16.07 - USER 09/17/2010 21:20:30.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.186 [GMT 2:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt

FILE ::
"C:\FOUND.003"
"C:\FOUND.004"
"C:\FOUND.005"
"C:\FOUND.006"
"C:\FOUND.007"
"c:\windows\ab3cgtm.dll"
"c:\windows\icpb.dll"
"c:\windows\system32\14D3x2.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ab3cgtm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_560C3A5D
-------\Legacy_IPRIP
-------\Service_560C3A5D
-------\Service_IPRIP


((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))
.

2010-09-17 19:11 . 2010-09-17 19:11 -------- d-----w- C:\FOUND.008
2010-09-17 13:15 . 2010-09-17 13:15 -------- d-----w- C:\FOUND.007
2010-09-17 11:34 . 2010-09-17 11:34 -------- d-----w- c:\program files\ESET
2010-09-17 11:22 . 2010-09-17 11:23 -------- d-----w- C:\_OTL
2010-09-17 11:18 . 2010-09-17 11:18 -------- d-----w- c:\program files\Common Files\Java
2010-09-17 10:03 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 10:03 . 2010-09-17 10:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 10:03 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 10:09 . 2010-09-15 10:09 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\PCHealth
2010-09-14 22:32 . 2010-09-14 22:32 -------- d-----w- C:\FOUND.006
2010-09-13 23:48 . 2010-09-13 23:48 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-09-11 11:58 . 2010-09-11 11:58 -------- d-----w- C:\FOUND.005
2010-09-08 16:59 . 2010-09-08 16:59 -------- d-----w- C:\FOUND.004
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-08-29 10:36 . 2010-08-29 10:36 -------- d-----w- C:\FOUND.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:19 . 2010-08-06 13:19 503808 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcp71.dll
2010-08-06 13:19 . 2010-08-06 13:19 499712 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\jmc.dll
2010-08-06 13:19 . 2010-08-06 13:19 348160 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcr71.dll
2010-08-06 13:19 . 2010-08-06 13:19 61440 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-sse.dll
2010-08-06 13:19 . 2010-08-06 13:19 12800 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-d3d.dll
2010-07-17 03:00 . 2010-06-15 14:20 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-28 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2004-07-29 2052173]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2007-09-20 61952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7-10"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2004-07-29 13:04 2052173 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2007-09-20 09:33 61952 ----a-w- c:\windows\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 08:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 21:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2005-03-11 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"CCALib8"=2 (0x2)
"560C3A5D"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MicroStar\\WLANUtility\\APUtility.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [1/14/2008 6:31 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [1/14/2008 6:31 PM 5248]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/18/2010 10:29 PM 632792]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/26/2006 1:46 PM 611064]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]
S3 bleepALLGUARD;bleepALLGUARD;\??\c:\001630aa\001630B2 --> c:\001630aa\001630B2 [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2006-01-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1100 series5E771253C1676EBED677BF361FDFC537825E15B8057004624.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2010-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 14:18]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-15 c:\windows\Tasks\Norton Security Scan for USER.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-28 04:32]

2010-09-17 c:\windows\Tasks\RMSchedule_219.job
- c:\program files\Registry Mechanic\Launcher.exe [2010-06-18 07:14]

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?e50b0d39614d4839b3b204b095624854
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?e50b0d39614d4839b3b204b095624854
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\windows\system32\mapi32.dll
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://centrasrv.cet.ac.il/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {22055A00-27C0-438B-BF53-44E973A4C48A} - hxxp://thesecret.tv/movie/player/vivid_ocx.jpeg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 21:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84F38C70]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf779ef10
\Driver\ACPI -> ACPI.sys @ 0xf7711cb8
\Driver\atapi -> 0x84f38c70
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf74fbba0
PacketIndicateHandler -> NDIS.sys @ 0xf7508b21
SendHandler -> NDIS.sys @ 0xf74e687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\bleepALLGUARD]
"ImagePath"="\??\c:\001630aa\001630B2"

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1400)
c:\windows\system32\WININET.dll
c:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
d:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\matlab6p5\bin\win32\matlab.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-17 21:30:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-17 19:30
ComboFix2.txt 2010-09-17 16:07

Pre-Run: 2,809,659,392 bytes free
Post-Run: 2,812,739,584 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 0A53EF9723E36C8499E38800E4953482

-----------------------------------------------------------------------------------------------------------------------------------------------------------------


SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 00:09 on 18/09/2010 by USER
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"= 0x0000000001 (1)
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"= 0x0000000001 (1)
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"= 0x0000000001 (1)
"{871C5380-42A0-1069-A2EA-08002B30309D}"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
@="Computer Search Results Folder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}]
@=""
"Removal Message"="@mydocs.dll,-900"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
@="Search Results Folder"


[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@=""C:\Program Files\Internet Explorer\IEXPLORE.EXE""


[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}]
"InfoTip"="@C:\WINDOWS\system32\ieframe.dll.mui,-881"
"LocalizedString"="@C:\WINDOWS\system32\ieframe.dll.mui,-880"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon]
@="C:\WINDOWS\system32\ieframe.dll,-190"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32]
@="C:\WINDOWS\system32\ieframe.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell]
@="OpenHomePage"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns]
@="Start Without Add-ons"
"LegacyDisable"=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command]
@=""C:\Program Files\Internet Explorer\iexplore.exe" -extoff"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage]
@="Open &Home Page"
"MUIVerb"="@shdoclc.dll,-10241"
"LegacyDisable"=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@=""%programfiles%\internet explorer\iexplore.exe""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex]
(No values found)

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers]
(No values found)

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe]
@="{871C5380-42A0-1069-A2EA-08002B30309D}"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\MayChangeDefaultMenu]
@=""

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder]
"Attributes"= 0x0000000024 (36)
"HideFolderVerbs"=""
"WantsParseDisplayName"=""
"HideOnDesktopPerUser"=""
@="C:\WINDOWS\system32\ieframe.dll,-190"
"HideAsDeletePerUser"=""


[HKEY_CLASSES_ROOT\http\shell\open\command]
@=""C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome"


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"Version"= 0x0000000002 (2)
"DownloadUpdates"= 0x0000000001 (1)
"UpgradeTime"=f0 a4 1e 5b 90 0c cb 01 (REG_BINARY)
"DefaultScope"="{AC655E01-E98D-4658-B920-C9BB6C4F9753}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"DisplayName"="Bing"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AAF5579-09FC-45EB-8C64-9195857F3FC1}]
"DisplayName"="Bing"
"URL"="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
"SuggestionsURLFallback"="http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"
"FaviconURLFallback"="http://www.bing.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{5AAF5579-09FC-45EB-8C64-9195857F3FC1}.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}]
"URL"="http://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd"
"DisplayName"="ICQ Search"
"FaviconURL"="http://c.icq.com/favicon.ico"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}\Non-Matches]
"http://c.icq.com/search/icqosd.xml"=00 1c 99 52 1e d0 c6 01 (REG_BINARY)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{6A1806CD-94D4-4689-BA73-E35EA1EA9990}.ico"
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AC655E01-E98D-4658-B920-C9BB6C4F9753}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GPEA_enIL299"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"= 0x0000000001 (1)
"FaviconPath"="C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{AC655E01-E98D-4658-B920-C9BB6C4F9753}.ico"
"SuggestionsURLFallback"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"FaviconURLFallback"="http://www.google.com/favicon.ico"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
@="Live Search"
"DisplayName"="@ieframe.dll,-12512"
"URL"="http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
"DisplayName"="Google"
"URL"="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
"FaviconURL"="http://www.google.com/favicon.ico"
"SuggestionsURL"="http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"
"ShowSearchSuggestions"= 0x0000000001 (1)
"SortIndex"= 0x0000000000 (0)


-= EOF =-

----------------------------------------------------------------------------------------------------------------------------------------------------------------



So do you think everything looks okay now? Thanks again!

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 17 September 2010 - 08:57 PM

Hi samatar,



QUOTE
So do you think everything looks okay now?

Looks good. thumbup2.gif We need to do the last check. If everything goes well, you should be good to go.

Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Folder::
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\001630aa

Driver::
bleepALLGUARD

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet006\Services\bleepALLGUARD]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2
  1. Go to this thread and Download Bootkit Remover.rar to your Desktop.
  2. Extract its contents to your desktop and drag remover.exe on the desktop, not in the folder.
  3. Start > Run and type cmd and hit enter, copy/paste the following bolded command into command prompt and hit Enter.

    "%userprofile%\desktop\remover.exe" >"%userprofile%\desktop\remover.txt"

  4. When done, a log file should be created on your desktop named "remover.txt". Please copy and paste the contents in your next reply.
In your next reply, please post back:

1.ComboFix log
2.Remover.txt

Let me know how your pc is running now.

Edited by sundavis, 17 September 2010 - 09:27 PM.


#13 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 18 September 2010 - 07:31 AM


Hello, I ran Combofix and will present the log . I've also tried running the bootkit remover but it's not really working. I extracted all contents (two txt files and an exe) to the desktop, then ran cmd, then tried typing in your line, but it didn't work. Now, I noticed that the exe I have is titled bootkit_remover.exe and not remover.exe, so I changed that in the line you gave me and it didn't give me an error, but it's been running for quite a while now without any messages... there is now a remover.txt on the desktop but I haven't opened it.

Also, I noticed that after the Combofix (don't know if it's related but I only noticed it after the combofix), a new Internet Explorer icon showed up on my desktop, beside the shortcut I manually made from Program Files\Internet Explorer.. I have not opened it yet, fearing it might be infected and I wanted to ask if it's normal - if it's something that should happen ? The shortcut I made still gives me google.com as homepage.

At any rate, here's the combofix log:

ComboFix 10-09-17.04 - USER 09/18/2010 13:04:41.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.192 [GMT 2:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\001630aa
C:\FOUND.003
c:\found.003\FILE0000.CHK
c:\found.003\FILE0001.CHK
C:\FOUND.004
c:\found.004\FILE0000.CHK
C:\FOUND.005
c:\found.005\FILE0000.CHK
c:\found.005\FILE0001.CHK
c:\found.005\FILE0002.CHK
c:\found.005\FILE0003.CHK
c:\found.005\FILE0004.CHK
c:\found.005\FILE0005.CHK
c:\found.005\FILE0006.CHK
c:\found.005\FILE0007.CHK
c:\found.005\FILE0008.CHK
c:\found.005\FILE0009.CHK
c:\found.005\FILE0010.CHK
c:\found.005\FILE0011.CHK
c:\found.005\FILE0012.CHK
C:\FOUND.006
c:\found.006\FILE0000.CHK
c:\found.006\FILE0001.CHK
c:\found.006\FILE0002.CHK
c:\found.006\FILE0003.CHK
c:\found.006\FILE0004.CHK
c:\found.006\FILE0005.CHK
c:\found.006\FILE0006.CHK
c:\found.006\FILE0007.CHK
c:\found.006\FILE0008.CHK
c:\found.006\FILE0009.CHK
c:\found.006\FILE0010.CHK
c:\found.006\FILE0011.CHK
c:\found.006\FILE0012.CHK
c:\found.006\FILE0013.CHK
c:\found.006\FILE0014.CHK
c:\found.006\FILE0015.CHK
c:\found.006\FILE0016.CHK
c:\found.006\FILE0017.CHK
c:\found.006\FILE0018.CHK
c:\found.006\FILE0019.CHK
c:\found.006\FILE0020.CHK
c:\found.006\FILE0021.CHK
c:\found.006\FILE0022.CHK
c:\found.006\FILE0023.CHK
c:\found.006\FILE0024.CHK
c:\found.006\FILE0025.CHK
c:\found.006\FILE0026.CHK
c:\found.006\FILE0027.CHK
c:\found.006\FILE0028.CHK
c:\found.006\FILE0029.CHK
c:\found.006\FILE0030.CHK
c:\found.006\FILE0031.CHK
c:\found.006\FILE0032.CHK
c:\found.006\FILE0033.CHK
c:\found.006\FILE0034.CHK
c:\found.006\FILE0035.CHK
c:\found.006\FILE0036.CHK
c:\found.006\FILE0037.CHK
c:\found.006\FILE0038.CHK
c:\found.006\FILE0039.CHK
c:\found.006\FILE0040.CHK
c:\found.006\FILE0041.CHK
c:\found.006\FILE0042.CHK
c:\found.006\FILE0043.CHK
c:\found.006\FILE0044.CHK
c:\found.006\FILE0045.CHK
c:\found.006\FILE0046.CHK
c:\found.006\FILE0047.CHK
c:\found.006\FILE0048.CHK
c:\found.006\FILE0049.CHK
c:\found.006\FILE0050.CHK
c:\found.006\FILE0051.CHK
c:\found.006\FILE0052.CHK
c:\found.006\FILE0053.CHK
c:\found.006\FILE0054.CHK
c:\found.006\FILE0055.CHK
c:\found.006\FILE0056.CHK
c:\found.006\FILE0057.CHK
c:\found.006\FILE0058.CHK
c:\found.006\FILE0059.CHK
c:\found.006\FILE0060.CHK
c:\found.006\FILE0061.CHK
c:\found.006\FILE0062.CHK
c:\found.006\FILE0063.CHK
c:\found.006\FILE0064.CHK
c:\found.006\FILE0065.CHK
c:\found.006\FILE0066.CHK
c:\found.006\FILE0067.CHK
c:\found.006\FILE0068.CHK
c:\found.006\FILE0069.CHK
c:\found.006\FILE0070.CHK
c:\found.006\FILE0071.CHK
c:\found.006\FILE0072.CHK
c:\found.006\FILE0073.CHK
c:\found.006\FILE0074.CHK
c:\found.006\FILE0075.CHK
c:\found.006\FILE0076.CHK
c:\found.006\FILE0077.CHK
c:\found.006\FILE0078.CHK
c:\found.006\FILE0079.CHK
c:\found.006\FILE0080.CHK
c:\found.006\FILE0081.CHK
c:\found.006\FILE0082.CHK
c:\found.006\FILE0083.CHK
c:\found.006\FILE0084.CHK
c:\found.006\FILE0085.CHK
c:\found.006\FILE0086.CHK
c:\found.006\FILE0087.CHK
c:\found.006\FILE0088.CHK
c:\found.006\FILE0089.CHK
c:\found.006\FILE0090.CHK
c:\found.006\FILE0091.CHK
c:\found.006\FILE0092.CHK
c:\found.006\FILE0093.CHK
c:\found.006\FILE0094.CHK
c:\found.006\FILE0095.CHK
c:\found.006\FILE0096.CHK
c:\found.006\FILE0097.CHK
c:\found.006\FILE0098.CHK
c:\found.006\FILE0099.CHK
c:\found.006\FILE0100.CHK
c:\found.006\FILE0101.CHK
c:\found.006\FILE0102.CHK
c:\found.006\FILE0103.CHK
c:\found.006\FILE0104.CHK
c:\found.006\FILE0105.CHK
c:\found.006\FILE0106.CHK
c:\found.006\FILE0107.CHK
c:\found.006\FILE0108.CHK
c:\found.006\FILE0109.CHK
c:\found.006\FILE0110.CHK
c:\found.006\FILE0111.CHK
c:\found.006\FILE0112.CHK
c:\found.006\FILE0113.CHK
c:\found.006\FILE0114.CHK
c:\found.006\FILE0115.CHK
c:\found.006\FILE0116.CHK
c:\found.006\FILE0117.CHK
c:\found.006\FILE0118.CHK
c:\found.006\FILE0119.CHK
c:\found.006\FILE0120.CHK
c:\found.006\FILE0121.CHK
c:\found.006\FILE0122.CHK
c:\found.006\FILE0123.CHK
c:\found.006\FILE0124.CHK
c:\found.006\FILE0125.CHK
c:\found.006\FILE0126.CHK
c:\found.006\FILE0127.CHK
c:\found.006\FILE0128.CHK
c:\found.006\FILE0129.CHK
c:\found.006\FILE0130.CHK
c:\found.006\FILE0131.CHK
c:\found.006\FILE0132.CHK
c:\found.006\FILE0133.CHK
c:\found.006\FILE0134.CHK
c:\found.006\FILE0135.CHK
c:\found.006\FILE0136.CHK
c:\found.006\FILE0137.CHK
c:\found.006\FILE0138.CHK
c:\found.006\FILE0139.CHK
c:\found.006\FILE0140.CHK
c:\found.006\FILE0141.CHK
c:\found.006\FILE0142.CHK
c:\found.006\FILE0143.CHK
c:\found.006\FILE0144.CHK
c:\found.006\FILE0145.CHK
c:\found.006\FILE0146.CHK
c:\found.006\FILE0147.CHK
c:\found.006\FILE0148.CHK
c:\found.006\FILE0149.CHK
c:\found.006\FILE0150.CHK
c:\found.006\FILE0151.CHK
c:\found.006\FILE0152.CHK
c:\found.006\FILE0153.CHK
c:\found.006\FILE0154.CHK
c:\found.006\FILE0155.CHK
c:\found.006\FILE0156.CHK
c:\found.006\FILE0157.CHK
c:\found.006\FILE0158.CHK
c:\found.006\FILE0159.CHK
c:\found.006\FILE0160.CHK
c:\found.006\FILE0161.CHK
c:\found.006\FILE0162.CHK
c:\found.006\FILE0163.CHK
c:\found.006\FILE0164.CHK
c:\found.006\FILE0165.CHK
c:\found.006\FILE0166.CHK
c:\found.006\FILE0167.CHK
c:\found.006\FILE0168.CHK
c:\found.006\FILE0169.CHK
c:\found.006\FILE0170.CHK
c:\found.006\FILE0171.CHK
c:\found.006\FILE0172.CHK
c:\found.006\FILE0173.CHK
c:\found.006\FILE0174.CHK
c:\found.006\FILE0175.CHK
c:\found.006\FILE0176.CHK
c:\found.006\FILE0177.CHK
c:\found.006\FILE0178.CHK
c:\found.006\FILE0179.CHK
c:\found.006\FILE0180.CHK
c:\found.006\FILE0181.CHK
c:\found.006\FILE0182.CHK
c:\found.006\FILE0183.CHK
c:\found.006\FILE0184.CHK
c:\found.006\FILE0185.CHK
c:\found.006\FILE0186.CHK
c:\found.006\FILE0187.CHK
c:\found.006\FILE0188.CHK
c:\found.006\FILE0189.CHK
c:\found.006\FILE0190.CHK
c:\found.006\FILE0191.CHK
c:\found.006\FILE0192.CHK
c:\found.006\FILE0193.CHK
c:\found.006\FILE0194.CHK
c:\found.006\FILE0195.CHK
c:\found.006\FILE0196.CHK
c:\found.006\FILE0197.CHK
c:\found.006\FILE0198.CHK
c:\found.006\FILE0199.CHK
c:\found.006\FILE0200.CHK
c:\found.006\FILE0201.CHK
c:\found.006\FILE0202.CHK
c:\found.006\FILE0203.CHK
c:\found.006\FILE0204.CHK
c:\found.006\FILE0205.CHK
c:\found.006\FILE0206.CHK
c:\found.006\FILE0207.CHK
c:\found.006\FILE0208.CHK
c:\found.006\FILE0209.CHK
c:\found.006\FILE0210.CHK
c:\found.006\FILE0211.CHK
c:\found.006\FILE0212.CHK
c:\found.006\FILE0213.CHK
c:\found.006\FILE0214.CHK
c:\found.006\FILE0215.CHK
c:\found.006\FILE0216.CHK
c:\found.006\FILE0217.CHK
c:\found.006\FILE0218.CHK
c:\found.006\FILE0219.CHK
c:\found.006\FILE0220.CHK
c:\found.006\FILE0221.CHK
c:\found.006\FILE0222.CHK
c:\found.006\FILE0223.CHK
c:\found.006\FILE0224.CHK
c:\found.006\FILE0225.CHK
c:\found.006\FILE0226.CHK
c:\found.006\FILE0227.CHK
c:\found.006\FILE0228.CHK
c:\found.006\FILE0229.CHK
c:\found.006\FILE0230.CHK
c:\found.006\FILE0231.CHK
c:\found.006\FILE0232.CHK
c:\found.006\FILE0233.CHK
c:\found.006\FILE0234.CHK
c:\found.006\FILE0235.CHK
c:\found.006\FILE0236.CHK
c:\found.006\FILE0237.CHK
c:\found.006\FILE0238.CHK
c:\found.006\FILE0239.CHK
c:\found.006\FILE0240.CHK
c:\found.006\FILE0241.CHK
c:\found.006\FILE0242.CHK
c:\found.006\FILE0243.CHK
c:\found.006\FILE0244.CHK
c:\found.006\FILE0245.CHK
c:\found.006\FILE0246.CHK
c:\found.006\FILE0247.CHK
c:\found.006\FILE0248.CHK
c:\found.006\FILE0249.CHK
c:\found.006\FILE0250.CHK
c:\found.006\FILE0251.CHK
c:\found.006\FILE0252.CHK
c:\found.006\FILE0253.CHK
c:\found.006\FILE0254.CHK
c:\found.006\FILE0255.CHK
c:\found.006\FILE0256.CHK
c:\found.006\FILE0257.CHK
c:\found.006\FILE0258.CHK
c:\found.006\FILE0259.CHK
c:\found.006\FILE0260.CHK
c:\found.006\FILE0261.CHK
c:\found.006\FILE0262.CHK
c:\found.006\FILE0263.CHK
c:\found.006\FILE0264.CHK
c:\found.006\FILE0265.CHK
c:\found.006\FILE0266.CHK
c:\found.006\FILE0267.CHK
c:\found.006\FILE0268.CHK
c:\found.006\FILE0269.CHK
c:\found.006\FILE0270.CHK
c:\found.006\FILE0271.CHK
c:\found.006\FILE0272.CHK
c:\found.006\FILE0273.CHK
c:\found.006\FILE0274.CHK
c:\found.006\FILE0275.CHK
c:\found.006\FILE0276.CHK
c:\found.006\FILE0277.CHK
c:\found.006\FILE0278.CHK
c:\found.006\FILE0279.CHK
c:\found.006\FILE0280.CHK
c:\found.006\FILE0281.CHK
c:\found.006\FILE0282.CHK
c:\found.006\FILE0283.CHK
c:\found.006\FILE0284.CHK
c:\found.006\FILE0285.CHK
c:\found.006\FILE0286.CHK
c:\found.006\FILE0287.CHK
c:\found.006\FILE0288.CHK
c:\found.006\FILE0289.CHK
c:\found.006\FILE0290.CHK
c:\found.006\FILE0291.CHK
c:\found.006\FILE0292.CHK
c:\found.006\FILE0293.CHK
c:\found.006\FILE0294.CHK
c:\found.006\FILE0295.CHK
c:\found.006\FILE0296.CHK
c:\found.006\FILE0297.CHK
c:\found.006\FILE0298.CHK
c:\found.006\FILE0299.CHK
c:\found.006\FILE0300.CHK
c:\found.006\FILE0301.CHK
c:\found.006\FILE0302.CHK
c:\found.006\FILE0303.CHK
c:\found.006\FILE0304.CHK
c:\found.006\FILE0305.CHK
c:\found.006\FILE0306.CHK
c:\found.006\FILE0307.CHK
c:\found.006\FILE0308.CHK
c:\found.006\FILE0309.CHK
c:\found.006\FILE0310.CHK
c:\found.006\FILE0311.CHK
c:\found.006\FILE0312.CHK
c:\found.006\FILE0313.CHK
c:\found.006\FILE0314.CHK
c:\found.006\FILE0315.CHK
c:\found.006\FILE0316.CHK
c:\found.006\FILE0317.CHK
c:\found.006\FILE0318.CHK
c:\found.006\FILE0319.CHK
c:\found.006\FILE0320.CHK
c:\found.006\FILE0321.CHK
c:\found.006\FILE0322.CHK
c:\found.006\FILE0323.CHK
c:\found.006\FILE0324.CHK
c:\found.006\FILE0325.CHK
c:\found.006\FILE0326.CHK
c:\found.006\FILE0327.CHK
c:\found.006\FILE0328.CHK
c:\found.006\FILE0329.CHK
c:\found.006\FILE0330.CHK
c:\found.006\FILE0331.CHK
c:\found.006\FILE0332.CHK
c:\found.006\FILE0333.CHK
c:\found.006\FILE0334.CHK
c:\found.006\FILE0335.CHK
c:\found.006\FILE0336.CHK
c:\found.006\FILE0337.CHK
c:\found.006\FILE0338.CHK
c:\found.006\FILE0339.CHK
c:\found.006\FILE0340.CHK
c:\found.006\FILE0341.CHK
c:\found.006\FILE0342.CHK
c:\found.006\FILE0343.CHK
c:\found.006\FILE0344.CHK
c:\found.006\FILE0345.CHK
c:\found.006\FILE0346.CHK
c:\found.006\FILE0347.CHK
c:\found.006\FILE0348.CHK
c:\found.006\FILE0349.CHK
c:\found.006\FILE0350.CHK
c:\found.006\FILE0351.CHK
c:\found.006\FILE0352.CHK
c:\found.006\FILE0353.CHK
c:\found.006\FILE0354.CHK
c:\found.006\FILE0355.CHK
c:\found.006\FILE0356.CHK
c:\found.006\FILE0357.CHK
c:\found.006\FILE0358.CHK
c:\found.006\FILE0359.CHK
c:\found.006\FILE0360.CHK
c:\found.006\FILE0361.CHK
c:\found.006\FILE0362.CHK
c:\found.006\FILE0363.CHK
c:\found.006\FILE0364.CHK
c:\found.006\FILE0365.CHK
c:\found.006\FILE0366.CHK
c:\found.006\FILE0367.CHK
c:\found.006\FILE0368.CHK
c:\found.006\FILE0369.CHK
c:\found.006\FILE0370.CHK
c:\found.006\FILE0371.CHK
c:\found.006\FILE0372.CHK
c:\found.006\FILE0373.CHK
c:\found.006\FILE0374.CHK
c:\found.006\FILE0375.CHK
c:\found.006\FILE0376.CHK
c:\found.006\FILE0377.CHK
c:\found.006\FILE0378.CHK
c:\found.006\FILE0379.CHK
c:\found.006\FILE0380.CHK
c:\found.006\FILE0381.CHK
c:\found.006\FILE0382.CHK
c:\found.006\FILE0383.CHK
c:\found.006\FILE0384.CHK
c:\found.006\FILE0385.CHK
c:\found.006\FILE0386.CHK
c:\found.006\FILE0387.CHK
c:\found.006\FILE0388.CHK
c:\found.006\FILE0389.CHK
c:\found.006\FILE0390.CHK
c:\found.006\FILE0391.CHK
c:\found.006\FILE0392.CHK
c:\found.006\FILE0393.CHK
c:\found.006\FILE0394.CHK
c:\found.006\FILE0395.CHK
c:\found.006\FILE0396.CHK
c:\found.006\FILE0397.CHK
c:\found.006\FILE0398.CHK
c:\found.006\FILE0399.CHK
c:\found.006\FILE0400.CHK
c:\found.006\FILE0401.CHK
c:\found.006\FILE0402.CHK
c:\found.006\FILE0403.CHK
c:\found.006\FILE0404.CHK
c:\found.006\FILE0405.CHK
c:\found.006\FILE0406.CHK
c:\found.006\FILE0407.CHK
c:\found.006\FILE0408.CHK
c:\found.006\FILE0409.CHK
c:\found.006\FILE0410.CHK
c:\found.006\FILE0411.CHK
c:\found.006\FILE0412.CHK
c:\found.006\FILE0413.CHK
c:\found.006\FILE0414.CHK
c:\found.006\FILE0415.CHK
c:\found.006\FILE0416.CHK
c:\found.006\FILE0417.CHK
c:\found.006\FILE0418.CHK
c:\found.006\FILE0419.CHK
c:\found.006\FILE0420.CHK
c:\found.006\FILE0421.CHK
c:\found.006\FILE0422.CHK
c:\found.006\FILE0423.CHK
c:\found.006\FILE0424.CHK
c:\found.006\FILE0425.CHK
c:\found.006\FILE0426.CHK
c:\found.006\FILE0427.CHK
c:\found.006\FILE0428.CHK
c:\found.006\FILE0429.CHK
c:\found.006\FILE0430.CHK
c:\found.006\FILE0431.CHK
c:\found.006\FILE0432.CHK
c:\found.006\FILE0433.CHK
c:\found.006\FILE0434.CHK
c:\found.006\FILE0435.CHK
c:\found.006\FILE0436.CHK
c:\found.006\FILE0437.CHK
c:\found.006\FILE0438.CHK
c:\found.006\FILE0439.CHK
c:\found.006\FILE0440.CHK
c:\found.006\FILE0441.CHK
c:\found.006\FILE0442.CHK
c:\found.006\FILE0443.CHK
c:\found.006\FILE0444.CHK
c:\found.006\FILE0445.CHK
c:\found.006\FILE0446.CHK
c:\found.006\FILE0447.CHK
c:\found.006\FILE0448.CHK
c:\found.006\FILE0449.CHK
c:\found.006\FILE0450.CHK
c:\found.006\FILE0451.CHK
c:\found.006\FILE0452.CHK
c:\found.006\FILE0453.CHK
c:\found.006\FILE0454.CHK
c:\found.006\FILE0455.CHK
c:\found.006\FILE0456.CHK
c:\found.006\FILE0457.CHK
c:\found.006\FILE0458.CHK
c:\found.006\FILE0459.CHK
c:\found.006\FILE0460.CHK
c:\found.006\FILE0461.CHK
c:\found.006\FILE0462.CHK
c:\found.006\FILE0463.CHK
c:\found.006\FILE0464.CHK
c:\found.006\FILE0465.CHK
c:\found.006\FILE0466.CHK
c:\found.006\FILE0467.CHK
c:\found.006\FILE0468.CHK
c:\found.006\FILE0469.CHK
c:\found.006\FILE0470.CHK
c:\found.006\FILE0471.CHK
c:\found.006\FILE0472.CHK
c:\found.006\FILE0473.CHK
c:\found.006\FILE0474.CHK
c:\found.006\FILE0475.CHK
c:\found.006\FILE0476.CHK
c:\found.006\FILE0477.CHK
c:\found.006\FILE0478.CHK
c:\found.006\FILE0479.CHK
c:\found.006\FILE0480.CHK
c:\found.006\FILE0481.CHK
c:\found.006\FILE0482.CHK
c:\found.006\FILE0483.CHK
c:\found.006\FILE0484.CHK
c:\found.006\FILE0485.CHK
c:\found.006\FILE0486.CHK
c:\found.006\FILE0487.CHK
c:\found.006\FILE0488.CHK
c:\found.006\FILE0489.CHK
c:\found.006\FILE0490.CHK
c:\found.006\FILE0491.CHK
c:\found.006\FILE0492.CHK
c:\found.006\FILE0493.CHK
c:\found.006\FILE0494.CHK
c:\found.006\FILE0495.CHK
c:\found.006\FILE0496.CHK
c:\found.006\FILE0497.CHK
c:\found.006\FILE0498.CHK
c:\found.006\FILE0499.CHK
c:\found.006\FILE0500.CHK
c:\found.006\FILE0501.CHK
c:\found.006\FILE0502.CHK
c:\found.006\FILE0503.CHK
c:\found.006\FILE0504.CHK
c:\found.006\FILE0505.CHK
c:\found.006\FILE0506.CHK
c:\found.006\FILE0507.CHK
c:\found.006\FILE0508.CHK
c:\found.006\FILE0509.CHK
c:\found.006\FILE0510.CHK
c:\found.006\FILE0511.CHK
c:\found.006\FILE0512.CHK
c:\found.006\FILE0513.CHK
c:\found.006\FILE0514.CHK
c:\found.006\FILE0515.CHK
c:\found.006\FILE0516.CHK
c:\found.006\FILE0517.CHK
c:\found.006\FILE0518.CHK
c:\found.006\FILE0519.CHK
c:\found.006\FILE0520.CHK
c:\found.006\FILE0521.CHK
c:\found.006\FILE0522.CHK
c:\found.006\FILE0523.CHK
c:\found.006\FILE0524.CHK
c:\found.006\FILE0525.CHK
c:\found.006\FILE0526.CHK
c:\found.006\FILE0527.CHK
c:\found.006\FILE0528.CHK
c:\found.006\FILE0529.CHK
c:\found.006\FILE0530.CHK
c:\found.006\FILE0531.CHK
c:\found.006\FILE0532.CHK
c:\found.006\FILE0533.CHK
c:\found.006\FILE0534.CHK
c:\found.006\FILE0535.CHK
c:\found.006\FILE0536.CHK
c:\found.006\FILE0537.CHK
c:\found.006\FILE0538.CHK
c:\found.006\FILE0539.CHK
c:\found.006\FILE0540.CHK
c:\found.006\FILE0541.CHK
c:\found.006\FILE0542.CHK
c:\found.006\FILE0543.CHK
c:\found.006\FILE0544.CHK
c:\found.006\FILE0545.CHK
c:\found.006\FILE0546.CHK
c:\found.006\FILE0547.CHK
c:\found.006\FILE0548.CHK
c:\found.006\FILE0549.CHK
c:\found.006\FILE0550.CHK
c:\found.006\FILE0551.CHK
c:\found.006\FILE0552.CHK
c:\found.006\FILE0553.CHK
c:\found.006\FILE0554.CHK
c:\found.006\FILE0555.CHK
c:\found.006\FILE0556.CHK
c:\found.006\FILE0557.CHK
c:\found.006\FILE0558.CHK
c:\found.006\FILE0559.CHK
c:\found.006\FILE0560.CHK
c:\found.006\FILE0561.CHK
c:\found.006\FILE0562.CHK
c:\found.006\FILE0563.CHK
c:\found.006\FILE0564.CHK
c:\found.006\FILE0565.CHK
c:\found.006\FILE0566.CHK
c:\found.006\FILE0567.CHK
c:\found.006\FILE0568.CHK
c:\found.006\FILE0569.CHK
c:\found.006\FILE0570.CHK
c:\found.006\FILE0571.CHK
c:\found.006\FILE0572.CHK
c:\found.006\FILE0573.CHK
c:\found.006\FILE0574.CHK
c:\found.006\FILE0575.CHK
c:\found.006\FILE0576.CHK
c:\found.006\FILE0577.CHK
c:\found.006\FILE0578.CHK
c:\found.006\FILE0579.CHK
c:\found.006\FILE0580.CHK
c:\found.006\FILE0581.CHK
c:\found.006\FILE0582.CHK
c:\found.006\FILE0583.CHK
c:\found.006\FILE0584.CHK
c:\found.006\FILE0585.CHK
c:\found.006\FILE0586.CHK
c:\found.006\FILE0587.CHK
c:\found.006\FILE0588.CHK
c:\found.006\FILE0589.CHK
c:\found.006\FILE0590.CHK
c:\found.006\FILE0591.CHK
c:\found.006\FILE0592.CHK
c:\found.006\FILE0593.CHK
c:\found.006\FILE0594.CHK
c:\found.006\FILE0595.CHK
c:\found.006\FILE0596.CHK
c:\found.006\FILE0597.CHK
c:\found.006\FILE0598.CHK
c:\found.006\FILE0599.CHK
c:\found.006\FILE0600.CHK
c:\found.006\FILE0601.CHK
c:\found.006\FILE0602.CHK
c:\found.006\FILE0603.CHK
c:\found.006\FILE0604.CHK
c:\found.006\FILE0605.CHK
c:\found.006\FILE0606.CHK
c:\found.006\FILE0607.CHK
c:\found.006\FILE0608.CHK
c:\found.006\FILE0609.CHK
c:\found.006\FILE0610.CHK
c:\found.006\FILE0611.CHK
c:\found.006\FILE0612.CHK
c:\found.006\FILE0613.CHK
c:\found.006\FILE0614.CHK
c:\found.006\FILE0615.CHK
c:\found.006\FILE0616.CHK
c:\found.006\FILE0617.CHK
c:\found.006\FILE0618.CHK
c:\found.006\FILE0619.CHK
c:\found.006\FILE0620.CHK
c:\found.006\FILE0621.CHK
c:\found.006\FILE0622.CHK
c:\found.006\FILE0623.CHK
c:\found.006\FILE0624.CHK
c:\found.006\FILE0625.CHK
c:\found.006\FILE0626.CHK
c:\found.006\FILE0627.CHK
c:\found.006\FILE0628.CHK
c:\found.006\FILE0629.CHK
c:\found.006\FILE0630.CHK
c:\found.006\FILE0631.CHK
c:\found.006\FILE0632.CHK
c:\found.006\FILE0633.CHK
c:\found.006\FILE0634.CHK
c:\found.006\FILE0635.CHK
c:\found.006\FILE0636.CHK
c:\found.006\FILE0637.CHK
c:\found.006\FILE0638.CHK
c:\found.006\FILE0639.CHK
c:\found.006\FILE0640.CHK
c:\found.006\FILE0641.CHK
c:\found.006\FILE0642.CHK
c:\found.006\FILE0643.CHK
c:\found.006\FILE0644.CHK
c:\found.006\FILE0645.CHK
c:\found.006\FILE0646.CHK
c:\found.006\FILE0647.CHK
c:\found.006\FILE0648.CHK
c:\found.006\FILE0649.CHK
c:\found.006\FILE0650.CHK
c:\found.006\FILE0651.CHK
c:\found.006\FILE0652.CHK
c:\found.006\FILE0653.CHK
c:\found.006\FILE0654.CHK
c:\found.006\FILE0655.CHK
c:\found.006\FILE0656.CHK
c:\found.006\FILE0657.CHK
c:\found.006\FILE0658.CHK
c:\found.006\FILE0659.CHK
c:\found.006\FILE0660.CHK
c:\found.006\FILE0661.CHK
c:\found.006\FILE0662.CHK
c:\found.006\FILE0663.CHK
c:\found.006\FILE0664.CHK
c:\found.006\FILE0665.CHK
c:\found.006\FILE0666.CHK
c:\found.006\FILE0667.CHK
c:\found.006\FILE0668.CHK
c:\found.006\FILE0669.CHK
c:\found.006\FILE0670.CHK
c:\found.006\FILE0671.CHK
c:\found.006\FILE0672.CHK
c:\found.006\FILE0673.CHK
c:\found.006\FILE0674.CHK
c:\found.006\FILE0675.CHK
c:\found.006\FILE0676.CHK
c:\found.006\FILE0677.CHK
C:\FOUND.007
c:\found.007\FILE0000.CHK

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bleepALLGUARD


((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-17 19:11 . 2010-09-17 19:11 -------- d-----w- C:\FOUND.008
2010-09-17 11:34 . 2010-09-17 11:34 -------- d-----w- c:\program files\ESET
2010-09-17 11:22 . 2010-09-17 11:23 -------- d-----w- C:\_OTL
2010-09-17 11:18 . 2010-09-17 11:18 -------- d-----w- c:\program files\Common Files\Java
2010-09-17 10:03 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 10:03 . 2010-09-17 10:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 10:03 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 10:09 . 2010-09-15 10:09 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\PCHealth
2010-09-13 23:48 . 2010-09-13 23:48 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-02 16:22 . 2001-08-17 11:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-02 16:22 . 2001-08-17 12:02 9600 ----a-w- c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:19 . 2010-08-06 13:19 503808 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcp71.dll
2010-08-06 13:19 . 2010-08-06 13:19 499712 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\jmc.dll
2010-08-06 13:19 . 2010-08-06 13:19 348160 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-486d882d-n\msvcr71.dll
2010-08-06 13:19 . 2010-08-06 13:19 61440 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-sse.dll
2010-08-06 13:19 . 2010-08-06 13:19 12800 ----a-w- c:\documents and settings\USER\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3a17ad62-n\decora-d3d.dll
2010-07-17 03:00 . 2010-06-15 14:20 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-17_16.03.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-18 11:12 . 2010-09-18 11:12 16384 c:\windows\Temp\Perflib_Perfdata_180.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-28 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2004-07-29 2052173]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2007-09-20 61952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IE7-10"="advpack.dll" [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2004-07-29 13:04 2052173 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2007-09-20 09:33 61952 ----a-w- c:\windows\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 08:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 21:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-07 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2005-03-11 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"CCALib8"=2 (0x2)
"560C3A5D"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MicroStar\\WLANUtility\\APUtility.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [1/14/2008 6:31 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [1/14/2008 6:31 PM 5248]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/18/2010 10:29 PM 632792]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/26/2006 1:46 PM 611064]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2006-01-20 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1100 series5E771253C1676EBED677BF361FDFC537825E15B8057004624.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2010-09-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 14:18]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-09 15:31]

2010-09-15 c:\windows\Tasks\Norton Security Scan for USER.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-28 04:32]

2010-09-17 c:\windows\Tasks\RMSchedule_219.job
- c:\program files\Registry Mechanic\Launcher.exe [2010-06-18 07:14]

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 10:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?e50b0d39614d4839b3b204b095624854
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?e50b0d39614d4839b3b204b095624854
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\windows\system32\mapi32.dll
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://centrasrv.cet.ac.il/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {22055A00-27C0-438B-BF53-44E973A4C48A} - hxxp://thesecret.tv/movie/player/vivid_ocx.jpeg
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 13:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85081708]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf779ef10
\Driver\ACPI -> ACPI.sys @ 0xf7711cb8
\Driver\atapi -> 0x85081708
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf74fbba0
PacketIndicateHandler -> NDIS.sys @ 0xf7508b21
SendHandler -> NDIS.sys @ 0xf74e687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-839522115-1957994488-1004\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
"File1"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1872)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Babylon\Babylon-Pro\CAPTLIB.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
d:\matlab6p5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\matlab6p5\bin\win32\matlab.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-18 13:24:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 11:24
ComboFix2.txt 2010-09-17 19:30
ComboFix3.txt 2010-09-17 16:07

Pre-Run: 2,565,799,936 bytes free
Post-Run: 2,705,096,704 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - F4F37C05A6EC6E87E1AEABE7B2070280


#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 PM

Posted 18 September 2010 - 08:22 AM

Hi samatar,



QUOTE
there is now a remover.txt on the desktop but I haven't opened it

Yes, they have changed the name to bootkit_remover. Please open it and copy/paste the content in your next reply. Otherwise, double click on bootkit_remover.exe, a Dos window will prompt, right click on it and choose select all. Copy/paste the content in your next reply.

QUOTE
a new Internet Explorer icon showed up on my desktop

You may delete it.

Let me know how things are now.

Edited by sundavis, 18 September 2010 - 08:27 AM.


#15 samatar

samatar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 18 September 2010 - 08:28 AM


Here's the remover log:

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com
Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;



Everything seems fine ! Thank you very much ! Will keep you posted in the next couple of days if anything goes wrong :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users