Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with rootkit, can't get rid of it


  • Please log in to reply
35 replies to this topic

#1 Leogane

Leogane

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 19 October 2010 - 07:59 PM

Got infected with a rootkit.tdss from a freind's external hard drive. Got a fake virus alert, ran Malawarebites, it found it. Ran it again in safe mode, found no suspicious activities. Ran Spybot - Search & Destroy, nothing. Ran SUPERAntiSpyware, again nothing. Next day ran Mbam again, found 16 nasties. Google chrome crashed, now I use Firefox and get search redirects to search.fast-find.net and also had serious trouble turning on my computer, it just refused to start up in any mode whatsoever, tried a bunch of times and it kept rebooting.

I'm attaching the DSS & GMER logs, should have the Malawarebites if you want to look at them.


I've no idea what else to do. Also, for some reason can't upload DDS.txt. I'll copy/paste that one, the other two seem to be all right. Sorry about that and thanks a million!

GMER log
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-19 19:39:49
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Tsetsi\LOCALS~1\Temp\kxdiykog.sys



---- System - GMER 1.0.15 ----

SSDT 8A06CAE8 ZwAlertResumeThread
SSDT 8A0F7198 ZwAlertThread
SSDT 8A03EC10 ZwAllocateVirtualMemory
SSDT 8A04AE28 ZwConnectPort
SSDT 89D60218 ZwCreateMutant
SSDT 89FF6120 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA16DB350]
SSDT 89FAD8F0 ZwFreeVirtualMemory
SSDT 89F85560 ZwImpersonateAnonymousToken
SSDT 8A15CDC8 ZwImpersonateThread
SSDT 89FDF6B0 ZwMapViewOfSection
SSDT 89FBB498 ZwOpenEvent
SSDT 89FAFB98 ZwOpenProcessToken
SSDT 89FA8D50 ZwOpenThreadToken
SSDT 8A22C8C0 ZwQueryValueKey
SSDT 8A2B3F38 ZwResumeThread
SSDT 89D09340 ZwSetContextThread
SSDT 89FAB3B0 ZwSetInformationProcess
SSDT 89D2F368 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA16DB580]
SSDT 89D25540 ZwSuspendProcess
SSDT 8A2722D0 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA13A0620]
SSDT 89FE2CE8 ZwTerminateThread
SSDT 89FAD5B0 ZwUnmapViewOfSection
SSDT 8A03C780 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + A6 804E4900 8 Bytes CALL 18D84FCF

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\WINDOWS\System32\svchost.exe[1000] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0446000A
.text C:\WINDOWS\System32\svchost.exe[1000] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F3000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[1276] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe[1276] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\WINDOWS\RTHDCPL.EXE[1296] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\WINDOWS\RTHDCPL.EXE[1296] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[1304] KERNEL32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[1304] KERNEL32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1408] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1408] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1408] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\iTunes\iTunes.exe[1624] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\iTunes\iTunes.exe[1624] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1700] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1700] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1748] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[1748] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1836] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1836] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\iTunes\iTunesHelper.exe[1852] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\iTunes\iTunesHelper.exe[1852] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0139000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1872] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Skype\Phone\Skype.exe[2004] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Skype\Phone\Skype.exe[2004] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2012] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2012] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\WINDOWS\system32\ctfmon.exe[2020] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\WINDOWS\system32\ctfmon.exe[2020] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2028] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2028] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2096] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2096] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3008] KERNEL32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3008] KERNEL32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[3248] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[3248] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\WinRAR\WinRAR.exe[3932] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\WinRAR\WinRAR.exe[3932] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\WINDOWS\system32\wscntfy.exe[4084] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\WINDOWS\system32\wscntfy.exe[4084] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\DOCUME~1\Tsetsi\LOCALS~1\Temp\Rar$EX00.468\gmer.exe[4496] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\DOCUME~1\Tsetsi\LOCALS~1\Temp\Rar$EX00.468\gmer.exe[4496] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4648] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe[4648] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe[4772] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe[4772] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]
.text C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe[6036] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3]
.text C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe[6036] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A25B292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A25B292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A25B292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A25B292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T1L0-12 8A25B292

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD2500BEVT-75ZCT2___________________11.01A11#5&20cffd81&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@keueme C:\Documents and Settings\Tsetsi\keueme.exe /C

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


Attached Files


Edited by Maurice Naggar, 19 October 2010 - 08:06 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 19 October 2010 - 08:14 PM

Hello leogane,

Please make it very very clear: Are you able to start Windows XP in normal mode?
You had indicated you had serious issues starting it.

If possible, yes, copy and paste contents of last MBAM scan log.
btw, from here forward, do NOT attach any reports. Always try to use NOTEPAD (as needed) to Copy contents of log and then Paste into body of reply box.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 19 October 2010 - 08:50 PM

Hi, Maurice! Thanks for getting back to me so quickly, I greatly appreciate it :)

And yes, I finally managed to start it in Normal Mode, after about 10 reboots. It basically kept going back to that black screen that comes up if you press F8 and where you get to choose what mode to start in. After about five of those, trying different modes and all, i force restarted it and then after two or three more of those black screens it finally went on in Normal Mode.

Also, the very last Mbam log has nothing in it, so I'll paste the last one that found stuff as well, just in case.

Again, thank you! :)

Last Mbam

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4844

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/17/2010 11:51:46 AM
mbam-log-2010-11-17 (11-51-46).txt

Scan type: Quick scan
Objects scanned: 159115
Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)










Last Mbam with stuff in it.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4844

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/17/2010 11:15:45 AM
mbam-log-2010-11-17 (11-15-45).txt

Scan type: Quick scan
Objects scanned: 156993
Time elapsed: 15 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\Documents and Settings\Tsetsi\Application Data\hotfix.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdogoxiwu (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\wigrsgfa.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temp\brgg.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temp\qvvie.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temp\vlpg.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temporary Internet Files\Content.IE5\0I66V51A\waicxvq[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temporary Internet Files\Content.IE5\99RCR59D\gkemxszusa[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Local Settings\Temporary Internet Files\Content.IE5\Y1AYSBC2\lltaitbvdo[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tsetsi\Application Data\hotfix.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 19 October 2010 - 09:28 PM

You will want to print out or copy these instructions to Notepad for offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Leogane and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 3
  • Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • This log may be very large so please use multiple posts if need be.

Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"

Copy the entire contents of the report and paste it in a reply here for review.

Step 4
First, make sure you have saved all your work before you begin, and close your open apps.

Note: If using Firefox right-click on any download links and choose Save As
Save both files to the same place ---- the Desktop.

Please download OTH and SAVE to the Desktop

Please download OTL and SAVE to the Desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.
IF you are running Vista or Windows 7, then do a Right-click on OTH and select Run As Administrator to start.

Posted Image

Once OTH has started, click on Start OTL. OTL will now start.

  • Do the following in OTL:
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Back in OTH:
    Click the Internet Explorer button. Go to this forum & login & return to this topic.
    Copy & Paste these logs into your reply here.

Edited by Maurice Naggar, 19 October 2010 - 09:30 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 October 2010 - 03:46 PM

Hello again, Maurice,

Did all of the above, but when I clicked "Kill all processes" in OTH, my desktop did nothing, in the instructions it said it should go blank. Don't know if that matters.

Also, got a Symantec alert that I've Trojan.Zbot - sdra64.exe and also got some random tabs opening up on their own in Firefox.

here are the logs.

Edited by Maurice Naggar, 20 October 2010 - 10:48 PM.


#6 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 October 2010 - 03:47 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA587F000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4554752 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF130000 C:\WINDOWS\System32\ati3duag.dll 2949120 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB3BBC000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2510848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF400000 C:\WINDOWS\System32\ativvaxx.dll 1519616 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x9CE3E000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101005.022\navex15.sys 1368064 bytes (Symantec Corporation, AV Engine)
0xA56AB000 C:\WINDOWS\system32\DRIVERS\smserial.sys 983040 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9C878000 C:\WINDOWS\system32\DRIVERS\ar5211.sys 552960 bytes (Atheros Communications, Inc., Driver for Atheros AR5001 Wireless Network Adapter)
0xA12FB000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA13B8000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 401408 bytes (Symantec Corporation, SPBBC Driver)
0xA129D000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB39FC000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xBF058000 C:\WINDOWS\System32\ati2cqag.dll 376832 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xA14C5000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA16E9000 C:\Program Files\Symantec AntiVirus\savrt.sys 360448 bytes (Symantec Corporation, AutoProtect)
0x9D644000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF0B4000 C:\WINDOWS\System32\atikvmag.dll 331776 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 286720 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA148A000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 241664 bytes (Symantec Corporation, Network Dispatch Driver)
0xB3A5A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9DC24000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7406000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF105000 C:\WINDOWS\System32\atiok3x2.dll 176128 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xA136B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB3AB2000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA143C000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7494000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA1464000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA585B000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB3AFD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB3ADA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA141A000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA1396000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xA16C7000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 139264 bytes (Symantec Corporation, Symantec Event Library)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF745C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xA1280000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF747C000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA1268000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7433000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9BA01000 C:\DOCUME~1\Tsetsi\LOCALS~1\Temp\kxdiykog.sys 94208 bytes
0xB3A9B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9DD8F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0x9CE2A000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101005.022\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xA16B3000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xB3BA8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA151E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF744A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0x9DB4B000 C:\WINDOWS\System32\Drivers\adfs.SYS 69632 bytes (Adobe Systems, Inc., Adobe Drive File System Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB3A8A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7537000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA600A000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF7507000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xA6233000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 53248 bytes (REDC, RICOH MS Driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xAA537000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7697000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7557000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8306000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 40960 bytes (Symantec Corporation, Redirector Filter Driver)
0xF7567000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7577000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xAABE3000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9B127000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xA3872000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA7785000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF77CF000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF779F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xA77BD000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7717000 risdptsk.sys 28672 bytes (REDC, RICOH SD/MMC Driver)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA3AA0000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xA3AB8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB3E31000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB3E69000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7797000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xA9E51000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78A3000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB811E000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7933000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA642D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF78A7000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF789B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789F000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB879E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x8A1FB000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB811A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA6C3F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79DB000 C:\WINDOWS\system32\DRIVERS\ATKACPI.sys 8192 bytes (-, ATK0100 ACPI Utility)
0xA1BCF000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7989000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79C1000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A05000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF79DD000 C:\WINDOWS\system32\DRIVERS\kbfiltr.sys 8192 bytes ( , Keyboard Filter Driver)
0xF79B1000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79BD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF798F000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7987000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A87000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA3902000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA35D0000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A25B292 ?_empty_? 3438 bytes
==============================================
>Stealth
==============================================
0xF747C000 WARNING: suspicious driver modification [atapi.sys::0x8A25B292]
0x05CB0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 102400 bytes
0x01090000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 110592 bytes
0x03C50000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 110592 bytes
0x066A0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 110592 bytes
0x06370000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 126976 bytes
0x06260000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 143360 bytes
0x05F90000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 1511424 bytes
0x05CD0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 1683456 bytes
0x06670000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 176128 bytes
0x05F60000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 192512 bytes
0x06310000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 217088 bytes
0x049A0000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 241664 bytes
0x066C0000 Hidden Image-->CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 274432 bytes
0x01260000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 28672 bytes
0x014E0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 28672 bytes
0x06250000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05440000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x01130000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x01110000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03D20000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03D70000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03DA0000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03EC0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03F00000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03F20000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03F60000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x03F50000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04A10000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04A50000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04A40000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04CD0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04DF0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04E30000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x04E90000 Hidden Image-->DEM.Graphics.I0703.dll [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05260000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05520000 Hidden Image-->CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05510000 Hidden Image-->CLI.Aspect.IntegratedUMAFrameBuffer.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05580000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x056E0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x056F0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05820000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x05E80000 Hidden Image-->atixclib.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x06110000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x06120000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 28672 bytes
0x01500000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8908FB28 ] PID: 1304, 307200 bytes
0x01170000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 307200 bytes
0x05F10000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 315392 bytes
0x06480000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 339968 bytes
0x04070000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 356352 bytes
0x03BC0000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 36864 bytes
0x03C70000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x03D80000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x03D50000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x049F0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x04E50000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x05230000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x05380000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x053E0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x05430000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x05540000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x05800000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 36864 bytes
0x040F0000 Hidden Image-->System.Management.dll [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 380928 bytes
0x05E90000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 413696 bytes
0x06410000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 413696 bytes
0x062A0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 446464 bytes
0x010C0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 45056 bytes
0x01130000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 45056 bytes
0x01100000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x010E0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x011D0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x03D30000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x03EE0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x04E60000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x04EA0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x05370000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x050F0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x053D0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 45056 bytes
0x05990000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 454656 bytes
0x05660000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 479232 bytes
0x06390000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 487424 bytes
0x05C30000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 495616 bytes
0x03BA0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 53248 bytes
0x03D40000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x03CF0000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x03D00000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x03F40000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x04E40000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05220000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x053A0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05420000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x054E0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05570000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05810000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05850000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x05A20000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 53248 bytes
0x064F0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 593920 bytes
0x01120000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x049E0000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x05100000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x053C0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x05490000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x05530000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 61440 bytes
0x01140000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x8908FB28 ] PID: 1304, 69632 bytes
0x01140000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 69632 bytes
0x05400000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 69632 bytes
0x05470000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 69632 bytes
0x03CD0000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 77824 bytes
0x04A60000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 77824 bytes
0x04E10000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 77824 bytes
0x050D0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 77824 bytes
0x054C0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 77824 bytes
0x06590000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 798720 bytes
0x050B0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 86016 bytes
0x06230000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x8A1C1DA0 ] PID: 3008, 86016 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@67.201.62[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@contentomania[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@trusearch[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\arrow[1].gif
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\finance[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\quant[1].js
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\search[1].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\search[2].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\search_relestar_js[1]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\search_relestar_js[2]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\spacer[1].gif
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\top_bg[1].png
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CVTQJY97\verp[1].htm
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\bg_magenta[1].gif
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\computer[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\contentomania_com[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\imp[1]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\imp[2]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\logo[1].png
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\search[1].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\search_relestar_js[1]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\search_relestar_js[2]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\search_relestar_js[3]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\text[1].css
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\tickets[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\P3ZJ90KV\travel2[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UDU4RK4G\search[1].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\bullet[1].png
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\go[1].gif
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\health1[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\internet2[1].jpg
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\relelib[1].js
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\round_search[1].png
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\search[1].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\search[2].html
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\search_relestar_js[1]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WUDJDRRH\shop3[1].jpg
!-->[Hidden] C:\Documents and Settings\Tsetsi\Application Data\Skype\hermotsura\chatsync\9c\9c401a9e8bfe93e1.dat
!-->[Hidden] C:\WINDOWS\system32\CatRoot2\edb.log::$DATA
!-->[Hidden] C:\WINDOWS\system32\CatRoot2\tmp.edb::$DATA
!-->[Hidden] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\FB788E090BC1F3AA2FBC9E8FB2859601
!-->[Hidden] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\FB788E090BC1F3AA2FBC9E8FB2859601
!-->[Hidden] C:\WINDOWS\system32\lowsec\local.ds
!-->[Hidden] C:\WINDOWS\system32\lowsec\user.ds
!-->[Hidden] C:\WINDOWS\system32\lowsec\user.ds.lll
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]
ntoskrnl.exe+0x0000D905, Type: Inline - RelativeJump 0x804E4905-->804E491A [ntoskrnl.exe]
[1096]svchost.exe-->kernel32.dll-->ntdll.dll-->LdrGetProcedureAddress, Type: IAT modification 0x7C801398-->00000000 [unknown_code_page]
[1096]svchost.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x7C801394-->00000000 [unknown_code_page]
[1096]svchost.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[1096]svchost.exe-->kernel32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x7C801228-->00000000 [unknown_code_page]
[1096]svchost.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[1096]svchost.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[1096]svchost.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[1096]svchost.exe-->wininet.dll-->user32.dll-->EndDialog, Type: IAT modification 0x3D9315CC-->00000000 [unknown_code_page]
[1104]jusched.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1104]jusched.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1124]ati2evxx.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1124]ati2evxx.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1296]RTHDCPL.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1296]RTHDCPL.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1304]MOM.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1304]MOM.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1700]AdobeARM.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1700]AdobeARM.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1748]sm56hlpr.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1748]sm56hlpr.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1788]AppleMobileDeviceService.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1788]AppleMobileDeviceService.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1828]alg.exe-->kernel32.dll-->ntdll.dll-->LdrGetProcedureAddress, Type: IAT modification 0x7C801398-->00000000 [unknown_code_page]
[1828]alg.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x7C801394-->00000000 [unknown_code_page]
[1828]alg.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[1828]alg.exe-->kernel32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x7C801228-->00000000 [unknown_code_page]
[1828]alg.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[1828]alg.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[1828]alg.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[1828]alg.exe-->wininet.dll-->user32.dll-->EndDialog, Type: IAT modification 0x3D9315CC-->00000000 [unknown_code_page]
[1828]alg.exe-->ws2_32.dll-->WSAConnect, Type: IAT modification 0x010010F0-->00000000 [unknown_code_page]
[1836]DivXUpdate.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1836]DivXUpdate.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[1852]iTunesHelper.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[1852]iTunesHelper.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2012]TeaTimer.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2012]TeaTimer.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2020]ctfmon.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2020]ctfmon.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2028]SUPERANTISPYWARE.EXE-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2028]SUPERANTISPYWARE.EXE-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[208]NMIndexingService.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[208]NMIndexingService.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2096]NMIndexStoreSvr.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2096]NMIndexStoreSvr.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2220]mDNSResponder.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2220]mDNSResponder.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2608]jqs.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2608]jqs.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2732]McSACore.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2732]McSACore.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[2984]NBService.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[2984]NBService.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[3008]CCC.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[3008]CCC.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[3216]IoctlSvc.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[3216]IoctlSvc.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[3248]skypePM.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[3248]skypePM.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[3416]TosBtSrv.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[3416]TosBtSrv.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[3504]wdfmgr.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[3504]wdfmgr.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[4084]wscntfy.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[4084]wscntfy.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[456]iPodService.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[456]iPodService.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[544]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[544]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[544]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[544]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[544]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[544]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[544]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[544]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[544]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[544]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[544]explorer.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[544]explorer.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[544]explorer.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[544]explorer.exe-->user32.dll-->EndDialog, Type: IAT modification 0x010016AC-->00000000 [unknown_code_page]
[544]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[544]explorer.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x0100179C-->00000000 [unknown_code_page]
[5740]notepad.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[5740]notepad.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[636]services.exe-->kernel32.dll-->ntdll.dll-->LdrGetProcedureAddress, Type: IAT modification 0x7C801398-->00000000 [unknown_code_page]
[636]services.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x7C801394-->00000000 [unknown_code_page]
[636]services.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[636]services.exe-->kernel32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x7C801228-->00000000 [unknown_code_page]
[636]services.exe-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x010012B0-->00000000 [unknown_code_page]
[636]services.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[636]services.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[636]services.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[636]services.exe-->wininet.dll-->user32.dll-->EndDialog, Type: IAT modification 0x3D9315CC-->00000000 [unknown_code_page]
[648]lsass.exe-->kernel32.dll-->ntdll.dll-->LdrGetProcedureAddress, Type: IAT modification 0x7C801398-->00000000 [unknown_code_page]
[648]lsass.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x7C801394-->00000000 [unknown_code_page]
[648]lsass.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[648]lsass.exe-->kernel32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x7C801228-->00000000 [unknown_code_page]
[648]lsass.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[648]lsass.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[648]lsass.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[648]lsass.exe-->wininet.dll-->user32.dll-->EndDialog, Type: IAT modification 0x3D9315CC-->00000000 [unknown_code_page]
[812]ati2evxx.exe-->kernel32.dll-->TerminateProcess, Type: Inline - PushRet 0x7C801E1A-->00000000 [unknown_code_page]
[812]ati2evxx.exe-->kernel32.dll-->TerminateThread, Type: Inline - PushRet 0x7C81CB3B-->00000000 [unknown_code_page]
[836]svchost.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[936]svchost.exe-->kernel32.dll-->ntdll.dll-->LdrGetProcedureAddress, Type: IAT modification 0x7C801398-->00000000 [unknown_code_page]
[936]svchost.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x7C801394-->00000000 [unknown_code_page]
[936]svchost.exe-->kernel32.dll-->ntdll.dll-->NtCreateThread, Type: IAT modification 0x7C801450-->00000000 [unknown_code_page]
[936]svchost.exe-->kernel32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x7C801228-->00000000 [unknown_code_page]
[936]svchost.exe-->shell32.dll-->user32.dll-->EndDialog, Type: IAT modification 0x7C9C1D84-->00000000 [unknown_code_page]
[936]svchost.exe-->shell32.dll-->user32.dll-->GetClipboardData, Type: IAT modification 0x7C9C2094-->00000000 [unknown_code_page]
[936]svchost.exe-->shell32.dll-->user32.dll-->TranslateMessage, Type: IAT modification 0x7C9C1DFC-->00000000 [unknown_code_page]
[936]svchost.exe-->wininet.dll-->user32.dll-->EndDialog, Type: IAT modification 0x3D9315CC-->00000000 [unknown_code_page]

#7 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 October 2010 - 06:33 PM

OTL Extras logfile created on: 10/20/2010 1:09:24 PM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Tsetsi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 14.60 Gb Free Space | 37.37% Space Free | Partition Type: NTFS
Drive J: | 193.82 Gb Total Space | 26.54 Gb Free Space | 13.70% Space Free | Partition Type: NTFS

Computer Name: TSETSI-LAPTOP | User Name: Tsetsi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"17419:TCP" = 17419:TCP:*:Enabled:BitComet 17419 TCP
"17419:UDP" = 17419:UDP:*:Enabled:BitComet 17419 UDP
"4859:TCP" = 4859:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- (www.BitComet.com)
"C:\Program Files\Java\jre1.6.0_07\launch4j-tmp\Stanza.exe" = C:\Program Files\Java\jre1.6.0_07\launch4j-tmp\Stanza.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Java\jre6\launch4j-tmp\Stanza.exe" = C:\Program Files\Java\jre6\launch4j-tmp\Stanza.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{003C932A-0064-B581-3935-284D2CE76A89}" = Catalyst Control Center Core Implementation
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0AD37499-3D5D-12F0-EBEA-46EE9AD02DBF}" = Catalyst Control Center Localization German
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0E006E70-1DA6-4A39-B645-2D640ABA9CD6}" = calibre
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{174D7CC5-1117-29D3-8422-2E54ADF7DB5D}" = Catalyst Control Center Localization Norwegian
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{1E0E1039-E45D-7EA2-E377-E00C2857E0C2}" = ccc-core-static
"{21A1D4A5-3D9B-9434-4F97-40367BDF4E47}" = Catalyst Control Center Graphics Full New
"{23894154-0961-CD0A-BAC0-67E6E96165C3}" = CCC Help Chinese Standard
"{24DFAAD6-E1ED-F588-2AD5-2EA4FE9113AE}" = CCC Help Korean
"{26886987-D038-7438-8DF2-ED3B1888E052}" = CCC Help Hungarian
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{2C6D0ACD-DD2B-BFE5-A005-53AFD4AA3175}" = Catalyst Control Center Localization Spanish
"{2D50DC1F-FCEC-D970-1DFB-E73CF2404451}" = Catalyst Control Center Localization Hungarian
"{306682DE-BB8E-CD56-9F6B-DE209469418A}" = CCC Help Turkish
"{310477AD-884B-736D-B2C8-7BE9433B243D}" = CCC Help Swedish
"{31814F2E-FA58-AFE8-DC97-3BD97F7191C2}" = CCC Help Greek
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34A350D1-64FB-36D8-9D0C-1CD8E392DBA5}" = Google Talk Plugin
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{350FB27C-CF62-4EF3-AF9D-70FF313FE221}" = iTunes
"{354F7470-D8E3-95D0-3488-B9E32D5E9636}" = CCC Help German
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{380FAC97-C47F-C5A9-2A51-DFF8DE144B37}" = Catalyst Control Center Localization Italian
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C5F1B30-B10B-4579-86DD-D00F662E1033}" = Nero 8 Ultra Edition HD
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{407A5080-4B1C-A43D-9EED-A3B5EDBCF593}" = CCC Help Polish
"{411F3ABA-2AB5-4799-AA19-6ADF0A8F7424}" = Adobe Setup
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{46FE06BF-2A08-9D00-ABFD-7F967817E275}" = Catalyst Control Center Localization Swedish
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4B50D80D-A482-DECD-B584-EB054EBA878A}" = ccc-core-preinstall
"{4B8ACECB-D518-99AA-B1F3-E79F905A83EE}" = Catalyst Control Center Localization Czech
"{50E125D1-88E5-48CE-80AE-98EC9698E639}" = Symantec AntiVirus
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57BA3105-8E44-45BD-BB3A-F0BD5EA0575B}" = Bulgarian (Phonetic) by Iliya Dankov
"{5ABA84ED-D61B-257F-809F-A8C883865854}" = Catalyst Control Center Localization Dutch
"{5B464CAC-76BD-BDBB-8066-318D05D171DF}" = Catalyst Control Center Localization Finnish
"{5C7332EA-BFB9-24A0-BDD9-254F4B113E41}" = Catalyst Control Center Localization Polish
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6426C1E8-ADD6-F91F-C152-2ABB7AB25F9F}" = Catalyst Control Center Graphics Full Existing
"{66B5F542-952C-F50D-BFF3-BCA582B65860}" = Catalyst Control Center Localization Turkish
"{67213BA8-70C6-458D-9B64-4B93FB35E84B}" = CCC Help Italian
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AA66ACB-E93C-C7CD-F303-D473AEC8A43E}" = CCC Help Norwegian
"{6D5DC54D-B06E-32A8-A5D9-4978D7A75FA1}" = Catalyst Control Center Localization Japanese
"{6DC712D0-A8AE-70EE-215D-ECE5DB29782C}" = Skins
"{782BC438-2C73-77F4-F5B6-7ADC87F611BB}" = CCC Help Spanish
"{791A19F4-E4E5-F4B0-7687-F5D1C4FF799A}" = Catalyst Control Center Graphics Light
"{7BBA76B4-CC34-0AAB-6D48-BE0181E20832}" = CCC Help Dutch
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{7F311276-1CD6-1661-8BAE-DD9016FE9B8D}" = Catalyst Control Center Localization Russian
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{84C89CF4-F64E-6820-375C-24963DDF99C9}" = Catalyst Control Center Localization Greek
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{896C6BC9-F655-4179-9BE9-E102953B9DAE}_is1" = Pavtube DVD Ripper version 3.2.1.601
"{8C0D145D-EB41-E1DB-6250-0146B02CBA3A}" = CCC Help Japanese
"{8CE08C3C-8FF4-45D9-925E-4F3CE2D7FA7D}" = Adobe Setup
"{8F5D6849-1A7E-B0B2-F1DE-C0FF21F9E78C}" = CCC Help French
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{944DA8EF-FD4E-1FD9-D88A-B22D78913BE6}" = Catalyst Control Center Localization Portuguese
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{97F5E039-D2F5-18C0-F0C9-6981F73514CC}" = Catalyst Control Center Localization French
"{9D210D79-AEC5-453B-960C-4DD2C73931E1}" = Bonjour Print Services
"{9E684286-287F-AE06-6909-31A0944A9B4F}" = Catalyst Control Center Localization Danish
"{A0CE9CC5-B17D-3FD5-20B9-A2509B475A20}" = ccc-utility
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A35D49A6-F3CF-87AA-6FF1-777D8A06BAB1}" = CCC Help English
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B2CEACB9-7690-30B5-D80A-B138DB4F0E37}" = Catalyst Control Center Localization Chinese Traditional
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CA1CA5F8-7500-45C5-9D4C-47D13FBC92D2}" = Adobe Setup
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D26970AA-C66F-142F-7C66-A73FC3546F57}" = CCC Help Russian
"{D88DB576-0989-879A-38B1-7ED6224B2F52}" = Catalyst Control Center Localization Thai
"{D8B87EBC-12C2-D4FC-F085-A062D4906216}" = CCC Help Danish
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E2A05D36-56EF-84FC-E7D7-090D6E5F09BC}" = CCC Help Finnish
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E4DA4D2C-F57F-782E-752E-9286E5713297}" = Catalyst Control Center Localization Korean
"{E4E118EF-5286-915B-7DBD-D931AB9AF200}" = CCC Help Portuguese
"{E5B85BE7-55B5-0A14-7634-FEF92BCB87FB}" = CCC Help Chinese Traditional
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F384BD83-C317-94DA-A4AB-3E75E43F4F8C}" = Catalyst Control Center Localization Chinese Standard
"{F622BE4A-363F-F2B6-1F98-54E5E99B1750}" = CCC Help Thai
"{F6D39840-BB27-A191-BDF2-1841CA805D24}" = CCC Help Czech
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe Type Manager 4.1" = Adobe Type Manager 4.1
"Adobe_1710d324011afc3e7658e969025f4ba" = Adobe InDesign CS4
"Adobe_2a31ae7a5c43ff52d8577782dd34e04" = Adobe Illustrator CS4
"Adobe_3dcb365ab9e01871fb8c6f27b0ea079" = Adobe After Effects CS4
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Akamai" = Akamai NetSession Interface
"All ATI Software" = ATI - Software Uninstall Utility
"AMP Font Viewer" = AMP Font Viewer
"ATI Display Driver" = ATI Display Driver
"BitComet" = BitComet 1.19
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"FLIQLO" = FLIQLO Screen Saver
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.7.0
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"MainType2_is1" = MainType 2.1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.2
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"SMSERIAL" = Motorola SM56 Data Fax Modem
"STANDARD" = Microsoft Office Standard 2007
"Stanza" = Stanza
"Switch" = Switch Sound File Converter
"VLC media player" = VLC media player 1.0.5
"WinDjView" = WinDjView 1.0.3
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:55:44 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\yeazia.exe (PID 2976) Time: Monday, November
15, 2010 10:55:44 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November 19,
2010 12:35:40 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November 19,
2010 12:35:40 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November
19, 2010 12:35:40 PM

[ Application Events ]
Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:17 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:17 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:04:18 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\nijiw.exe (PID 5420) Time: Monday, November 15,
2010 10:04:18 PM

Error - 11/15/2010 11:55:44 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\yeazia.exe (PID 2976) Time: Monday, November
15, 2010 10:55:44 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November 19,
2010 12:35:40 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
Shared\ccApp.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November 19,
2010 12:35:40 PM

Error - 11/19/2010 1:35:40 PM | Computer Name = TSETSI-LAPTOP | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Write Memory Action Taken: Blocked Actor Process:
C:\Documents and Settings\Tsetsi\keueme.exe (PID 2992) Time: Friday, November
19, 2010 12:35:40 PM

[ System Events ]
Error - 11/17/2010 12:55:52 PM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 11/17/2010 12:55:52 PM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 11/17/2010 12:57:02 PM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 11/17/2010 12:57:02 PM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 11/17/2010 12:57:02 PM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 11/19/2010 11:40:24 AM | Computer Name = TSETSI-LAPTOP | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.

Error - 10/19/2010 5:24:47 PM | Computer Name = TSETSI-LAPTOP | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.100
with the system having network hardware address 00:1C:B3:C4:D8:BE. Network operations
on this system may be disrupted as a result.

Error - 10/20/2010 11:34:51 AM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 10/20/2010 11:34:51 AM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding

Error - 10/20/2010 11:34:51 AM | Computer Name = TSETSI-LAPTOP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%3" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
9.0\Acrobat\AcrobatInfo.exe" /PDFShell -Embedding


< End of report >

#8 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 October 2010 - 06:35 PM

I can't seem to be able to copy-paste the OTL.txt file, so I'll try to break it up and see what happens.


OTL logfile created on: 10/20/2010 1:09:24 PM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Tsetsi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 14.60 Gb Free Space | 37.37% Space Free | Partition Type: NTFS
Drive J: | 193.82 Gb Total Space | 26.54 Gb Free Space | 13.70% Space Free | Partition Type: NTFS

Computer Name: TSETSI-LAPTOP | User Name: Tsetsi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/16 14:18:31 | 000,258,048 | RHS- | M] () -- C:\Documents and Settings\Tsetsi\keueme.exe
PRC - [2010/11/15 23:38:53 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/10/20 10:33:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTL.scr
PRC - [2010/10/20 10:33:35 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTH.scr
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/06/02 19:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 17:07:58 | 001,828,136 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/03/14 19:49:02 | 000,125,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/03/14 19:48:50 | 001,816,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/03/14 19:48:40 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/02/25 21:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/10 16:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/11/21 17:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/11/21 17:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/11/21 17:38:28 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/08/07 13:11:00 | 000,573,440 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

#9 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 20 October 2010 - 06:39 PM

Doesn't let me copy-paste the rest of the OTL for some reason, that's why I'm attaching it. Hope it's not a problem.

Attached Files

  • Attached File  OTL.Txt   62.72KB   1 downloads


#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 20 October 2010 - 10:50 PM

Here is your log

OTL logfile created on: 10/20/2010 1:09:24 PM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Documents and Settings\Tsetsi\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 14.60 Gb Free Space | 37.37% Space Free | Partition Type: NTFS
Drive J: | 193.82 Gb Total Space | 26.54 Gb Free Space | 13.70% Space Free | Partition Type: NTFS

Computer Name: TSETSI-LAPTOP | User Name: Tsetsi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/16 14:18:31 | 000,258,048 | RHS- | M] () -- C:\Documents and Settings\Tsetsi\keueme.exe
PRC - [2010/11/15 23:38:53 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/10/20 10:33:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTL.scr
PRC - [2010/10/20 10:33:35 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTH.scr
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/06/02 19:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 17:07:58 | 001,828,136 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/03/14 19:49:02 | 000,125,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/03/14 19:48:50 | 001,816,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2007/03/14 19:48:40 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/02/25 21:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/10 16:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/11/21 17:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/11/21 17:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/11/21 17:38:28 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/08/07 13:11:00 | 000,573,440 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe


========== Modules (SafeList) ==========

MOD - [2010/10/20 10:33:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTL.scr
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/09/23 19:20:21 | 002,950,744 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_062a651.dll -- (Akamai)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/02/15 20:27:08 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/03/14 19:48:56 | 000,116,416 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2007/03/14 19:48:50 | 001,816,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2007/03/14 19:48:40 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2007/02/25 21:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/02/12 17:23:10 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2007/01/10 16:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/11/21 17:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/11/21 17:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2000/05/24 15:20:36 | 000,015,360 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\WINDOWS\system32\ATMsrvc.exe -- (ATMsrvc)


========== Driver Services (SafeList) ==========

DRV - [2010/10/01 03:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101005.022\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/01 03:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101005.022\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/12 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/12 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/07 21:25:01 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/13 12:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/10/26 02:20:36 | 000,549,184 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2007/08/28 05:58:00 | 000,005,760 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2007/07/04 22:55:40 | 002,304,000 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/02/12 17:22:40 | 000,196,752 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/02/12 17:22:36 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/01/24 18:08:40 | 000,005,632 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbfiltr.sys -- (kbfiltr)
DRV - [2007/01/10 16:27:26 | 000,390,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/11/03 09:32:30 | 004,394,496 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/09/06 14:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 13:13:50 | 000,980,608 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/07/14 12:14:34 | 000,027,904 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\risdptsk.sys -- (risdptsk)
DRV - [2005/07/12 19:00:30 | 000,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "news.bbc.co.uk"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..keyword.URL: "http://search.fast-find.net/?sid=10101063100&s="

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.fast-find.net/?sid=10101063100&s="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/08/20 10:46:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/03 01:55:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/03 01:55:57 | 000,000,000 | ---D | M]

[2010/03/13 12:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\Mozilla\Extensions
[2010/10/19 16:37:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\extensions
[2010/07/07 23:25:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/05 20:32:57 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Tsetsi\Application Data\Mozilla\Firefox\Profiles\sn8ct9fl.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/10/19 16:37:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/11 18:44:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/11 18:44:27 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/10/01 18:51:32 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/03/22 16:00:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll (BitComet)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {a65609c4-51d8-4eec-bb52-d7ceaad0a7be} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKCU..\Run: [keueme] C:\Documents and Settings\Tsetsi\keueme.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Tsetsi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll (BitComet)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265598237359 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.82.4.8
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tsetsi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/07 17:01:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{56829774-1d06-11df-9136-001fc64fc236}\Shell - "" = AutoRun
O33 - MountPoints2\{56829774-1d06-11df-9136-001fc64fc236}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5b087f7a-ce72-11df-b386-0015af811e3a}\Shell - "" = AutoRun
O33 - MountPoints2\{5b087f7a-ce72-11df-b386-0015af811e3a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5ba55e52-f19f-11df-b388-0015af811e3a}\Shell - "" = AutoRun
O33 - MountPoints2\{5ba55e52-f19f-11df-b388-0015af811e3a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e610fb16-c12b-11df-b37f-0015af811e3a}\Shell - "" = AutoRun
O33 - MountPoints2\{e610fb16-c12b-11df-b37f-0015af811e3a}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e610fb16-c12b-11df-b37f-0015af811e3a}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck msln) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/19 11:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/11/16 16:24:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/11/15 23:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/11/15 23:46:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/11/07 12:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tsetsi\Application Data\SharePod
[2010/10/20 10:43:49 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/10/20 10:33:45 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTL.scr
[2010/10/20 10:33:33 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTH.scr
[2010/10/20 10:32:26 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Tsetsi\Desktop\erunt-setup.exe
[2010/10/20 10:26:17 | 000,046,640 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2010/10/20 10:25:08 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/09/30 19:24:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tsetsi\My Documents\My Library
[2010/02/08 19:36:58 | 000,005,632 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\kbfiltr.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/19 12:24:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/11/17 12:10:10 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/11/16 16:24:45 | 000,000,197 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Application Data\22109.bat
[2010/11/16 14:18:31 | 000,258,048 | RHS- | M] () -- C:\Documents and Settings\Tsetsi\keueme.exe
[2010/11/15 22:55:33 | 001,044,425 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Desktop\Untitled-3.ai
[2010/11/15 22:54:25 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\dralwyg.sys
[2010/11/15 22:21:12 | 000,258,048 | RHS- | M] () -- C:\Documents and Settings\Tsetsi\yeazia.exe
[2010/11/14 17:00:54 | 000,000,154 | ---- | M] () -- C:\WINDOWS\fm1.cfg
[2010/11/14 06:39:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/11/13 13:35:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/07 11:53:46 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/07 11:53:46 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/20 12:39:05 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003UA.job
[2010/10/20 11:39:02 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2000478354-630328440-682003330-1003Core.job
[2010/10/20 10:43:54 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/20 10:43:50 | 000,000,623 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Desktop\NTREGOPT.lnk
[2010/10/20 10:43:50 | 000,000,604 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Desktop\ERUNT.lnk
[2010/10/20 10:33:58 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTL.scr
[2010/10/20 10:33:35 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tsetsi\Desktop\OTH.scr
[2010/10/20 10:32:52 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Desktop\RKUnhookerLE.EXE
[2010/10/20 10:32:41 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Tsetsi\Desktop\erunt-setup.exe
[2010/10/20 10:26:17 | 000,046,640 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\msln.exe
[2010/10/19 16:26:54 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/10/19 16:25:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/19 16:23:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/19 13:23:15 | 000,127,488 | ---- | M] () -- C:\Documents and Settings\Tsetsi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/16 16:24:45 | 000,000,197 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Application Data\22109.bat
[2010/11/16 16:24:28 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/11/16 14:18:31 | 000,258,048 | RHS- | C] () -- C:\Documents and Settings\Tsetsi\keueme.exe
[2010/11/15 22:55:22 | 001,044,425 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Desktop\Untitled-3.ai
[2010/11/15 22:54:25 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\dralwyg.sys
[2010/11/15 22:21:12 | 000,258,048 | RHS- | C] () -- C:\Documents and Settings\Tsetsi\yeazia.exe
[2010/10/20 10:43:54 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/20 10:43:50 | 000,000,623 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Desktop\NTREGOPT.lnk
[2010/10/20 10:43:50 | 000,000,604 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Desktop\ERUNT.lnk
[2010/10/20 10:32:43 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Desktop\RKUnhookerLE.EXE
[2010/09/08 18:25:22 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/19 19:27:25 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/02/19 19:27:25 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/02/19 19:27:22 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/19 19:27:22 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/19 19:27:18 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/02/13 19:55:24 | 000,127,488 | ---- | C] () -- C:\Documents and Settings\Tsetsi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/07 21:33:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/02/07 11:51:05 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2007/08/28 05:58:00 | 000,005,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
[2006/12/05 13:05:04 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll

========== LOP Check ==========

[2010/04/01 15:58:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2010/03/24 02:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MainType
[2010/11/19 11:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/09/12 15:55:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/08/31 19:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2010/06/20 22:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RosettaStoneLtdBackup
[2010/11/17 11:26:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/04/17 13:35:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/12 19:37:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/15 09:07:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\.dvdcss
[2010/02/28 22:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\AMPSoft
[2010/09/13 19:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\BitComet
[2010/08/31 20:20:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\calibre
[2010/09/12 15:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\ImTOO Software Studio
[2010/03/24 01:38:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\MainType
[2010/03/01 12:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\MSNInstaller
[2010/09/12 15:55:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\NCH Swift Sound
[2010/04/28 16:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\Pavtube
[2010/11/07 12:01:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tsetsi\Application Data\SharePod
[2010/09/12 15:55:26 | 000,000,280 | ---- | M] () -- C:\WINDOWS\Tasks\switchSevenDays.job
[2010/09/13 15:30:14 | 000,000,280 | ---- | M] () -- C:\WINDOWS\Tasks\switchShakeIcon.job
[2010/11/19 12:24:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2010/11/17 14:26:49 | 000,025,874 | ---- | C] ()(C:\Documents and Settings\Tsetsi\Desktop\????.docx) -- C:\Documents and Settings\Tsetsi\Desktop\Жега.docx
[2010/10/19 19:35:53 | 000,025,874 | ---- | M] ()(C:\Documents and Settings\Tsetsi\Desktop\????.docx) -- C:\Documents and Settings\Tsetsi\Desktop\Жега.docx

< End of report >




~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 20 October 2010 - 11:18 PM

Hello Leogane,
You will want to print out or copy these instructions to Notepad for offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Leogane and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Step 1
Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode
then select Advanced Mode

On the left hand side, slect Tools
Then click on the Resident icon in the list
Uncheck Resident TeaTimer and OK any prompts.
Now Logoff & Restart your computer fresh.

Step 2
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall


  • Please double-click OTL.scr Posted Image to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :processes
    killallprocesses

    :OTL
    O4 - HKCU..\Run: [keueme] C:\Documents and Settings\Tsetsi\keueme.exe ()
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found

    :files
    C:\Documents and Settings\Tsetsi\keueme.exe
    C:\Documents and Settings\Tsetsi\yeazia.exe
    C:\WINDOWS\system32\sdra64.exe
    recycler /alldrives

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)


Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Step 4
Copy and Paste the contents of the following logs
OTL MovedFiles log
C:\Combofix.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 October 2010 - 09:44 AM

I got to step 2 and then things didn't go as they were supposed to

# Once you see a message box "Fix complete! Click OK to open the fix log."
Click the OK button
# The log will open in Notepad (your default text editor).
# Save the log. Post a copy of that log in your next reply.

instead of that message box I got something like OTL has been prompted to reboot, so I let it. Then at startup I got the RUN/Cancel menu that you get when you double-click, so I hit Run but nothing happened. After my computer started again, I double-clicked it again, but then it started just as usual, so didn't know what to do or if there was a log and how to get to it if so. Also, at startup got a message from Symantec about a backdoor.tidserv and now I can't even open Symantec.

What should I do with OTL?

#13 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 October 2010 - 04:35 PM

Sorry, I found it right after I posted that last reply but I'm using satellite internet which has been ridiculous the past few days, so I couldn't post the logs till now.


Here's the OTL

All processes killed
========== PROCESSES ==========
No active process named :OTL was found!
No active process named keueme.exe was found!
No active process named sdra64.exe) - was found!
No active process named sdra64.exe File not found was found!
No active process named :files was found!
No active process named keueme.exe was found!
No active process named yeazia.exe was found!
No active process named sdra64.exe was found!
No active process named recycler /alldrives was found!
No active process named :Commands was found!
No active process named [purity] was found!
No active process named [emptytemp] was found!
No active process named [CREATERESTOREPOINT] was found!
No active process named [EMPTYFLASH] was found!
No active process named [Reboot] was found!

OTL by OldTimer - Version 3.2.16.0 log created on 10212010_092401

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




and I'll post the Combofix after I run it.

#14 Leogane

Leogane
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 October 2010 - 05:33 PM

Maurice, I've been trying to run Combofix, but to no avail. I did the whole "save as" and renamed it and all, but every time i try to start it, and i tried probably five times, restarted the lap top a couple of times as well, so as I was saying, every time I try to run it, I get about 20-25 of those messages - see below, it's only three messages actually, but I get so many of them, one after the other and Combofix fails to start.

Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item.

On one of the messages it's 32788R22FWJFW\hidec.exe
the second one is 32788R22FWJFW\iexplore.ex
and the third one is 32788R22FWJFW\n.pif

after that I get the blue screen but it's blank and does nothing.

#15 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 21 October 2010 - 06:06 PM

Please do NOT run tools more than once --- unless I asked you to.
You ran Combofix or tried to run it 5 times, which is not the way to go.

From this point on, if a tool is not working, please Stop and put the problem here, and wait for a reply.

Tell me if you have your Windows CD/DVD .... just in case we may need it.

For now, restart the computer (if you have to, power off and then power back on) then report back here.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users