Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus that disables task manager, registry tools, antivirus, blocks online scanne


  • This topic is locked This topic is locked
15 replies to this topic

#1 bminoiu

bminoiu

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 24 November 2010 - 09:08 PM

Hello,

I'm running Windows XP SP2 on a Intel Core2Duo E6420.
I am infected with an unknown virus.

The symptoms:
- my antivirus got disabled (Bitdefender 2008); in the meantime I tried to reinstall it and failed. Now I have no antivirus installed.
- task manager and registry tools(regedit,gpedit) are disabled.
- online virus scanners are unaccessible - I tried bitdefender and eset and the page does not load; also, the homepage for mcaffee, bitdefender and kaspersky does not load
- I get no disk errors for most of the applications I am using. E.G. "windnwl.exe - No Disk There is no disk in the drive. Please insert a disk into drive \Device\HardDisk1\DR8"

What I did:
1. Before coming to your site, I tried using some malware removal tools I had. I ran a HiJackThis scan, then Combofix, then MalwareBytes, then Combofix again. No use. I know now, it was a bad idea. However, I have saved logs from each of them and can provide them if requested.
2. I made an account here and ran DDS. DDS.txt is copied below and Attach.txt is attached. Attached File  Attach.txt   6.09KB   0 downloads
3. I tried running gmer, but it stalls somewhere during the scan. The last line is "Disk \Device\Harddisk0\DR0 sector63:root-like behaviour; copy of MBR".
Also, during the scan, the following error keeps poping up:
"windnwl.exe - No Disk There is no disk in the drive. Please insert a disk into drive \Device\HardDisk1\DR8"

What should I do next?

Thanks in advance,
Bogdan






DDS (Ver_10-11-10.01) - NTFSx86
Run by Mino at 2:52:09,37 on 25.11.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.355 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\volumouse\volumouse.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe
C:\Documents and Settings\Mino\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
uRun: [$Volumouse$] "c:\volumouse\volumouse.exe" /nodlg
mRun: [SkyTel] SkyTel.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: {B1A576AE-6C1E-4339-BC62-54C609C38F00} = 82.76.253.115 82.76.253.125
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mino\applic~1\mozilla\firefox\profiles\69pcy5wu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\mino\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gsjlnh.sys --> c:\windows\system32\drivers\gsjlnh.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [2010-3-28 107752]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\mino\locals~1\temp\dsd28d.tmp --> c:\docume~1\mino\locals~1\temp\DSD28D.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\instalate\garena\plugins\ui\safedrv.sys --> f:\instalate\garena\plugins\ui\safedrv.sys [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-8-28 24576]

=============== Created Last 30 ================

2010-11-25 00:16:17 -------- d-----w- C:\ComboFix
2010-11-24 23:52:49 388096 ----a-r- c:\docume~1\mino\applic~1\microsoft\installer\{0761c9a8-8f3a-4216-b4a7-b7afbf24a24a}\HiJackThis.exe
2010-11-24 23:51:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-24 23:21:47 -------- d-----w- c:\docume~1\mino\applic~1\Malwarebytes
2010-11-24 23:21:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-24 23:21:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-24 23:21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-24 23:21:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-24 22:36:18 98816 ----a-w- c:\windows\sed.exe
2010-11-24 22:36:18 89088 ----a-w- c:\windows\MBR.exe
2010-11-24 22:36:18 256512 ----a-w- c:\windows\PEV.exe
2010-11-24 22:36:18 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-21 18:11:52 81984 ----a-w- c:\windows\system32\bdod.bin

============= FINISH: 2:52:22,92 ===============

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:06 AM

Posted 02 December 2010 - 02:44 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 02 December 2010 - 06:32 AM

Hi,

Thank you for your reply. I've rerun the scan with DDS and GMER (this time successfully with GMER). Below is the content of DDS.txt. I've attached the Attach.txt and Gmer.log files zipped.

Regards,
Bogdan




DDS (Ver_10-11-10.01) - NTFSx86
Run by Mino at 13:03:49,25 on 02.12.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.540 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\volumouse\volumouse.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\Kituri\Alte prostii\WakeMeUP.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mino\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No File
uRun: [$Volumouse$] "c:\volumouse\volumouse.exe" /nodlg
mRun: [SkyTel] SkyTel.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mino\applic~1\mozilla\firefox\profiles\69pcy5wu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\mino\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\gsjlnh.sys --> c:\windows\system32\drivers\gsjlnh.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [2010-3-28 107752]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\mino\locals~1\temp\dsd28d.tmp --> c:\docume~1\mino\locals~1\temp\DSD28D.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\instalate\garena\plugins\ui\safedrv.sys --> f:\instalate\garena\plugins\ui\safedrv.sys [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-8-28 24576]

=============== Created Last 30 ================

2010-11-25 00:16:17 -------- d-----w- C:\ComboFix
2010-11-24 23:52:49 465920 ----a-r- c:\docume~1\mino\applic~1\microsoft\installer\{0761c9a8-8f3a-4216-b4a7-b7afbf24a24a}\HiJackThis.exe
2010-11-24 23:51:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-24 23:21:47 -------- d-----w- c:\docume~1\mino\applic~1\Malwarebytes
2010-11-24 23:21:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-24 23:21:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-24 23:21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-24 23:21:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-24 22:36:18 98816 ----a-w- c:\windows\sed.exe
2010-11-24 22:36:18 89088 ----a-w- c:\windows\MBR.exe
2010-11-24 22:36:18 256512 ----a-w- c:\windows\PEV.exe
2010-11-24 22:36:18 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-21 18:11:52 81984 ----a-w- c:\windows\system32\bdod.bin

============= FINISH: 13:04:07,73 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 03 December 2010 - 10:44 AM

Hello bminoiu,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Thank you for your patience!!
PW

#5 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 03 December 2010 - 05:17 PM

Hi,

Thank you for your reply.I haven't resolved the problem with my system yet.
I have posted the requested logs. I'm waiting for your advice.
What are the next steps?

Thanks,
Bogdan

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 04 December 2010 - 07:32 AM

Hi bminoiu,

Post Logs

I see you have ComboFix installed. You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

If you do not have ComboFix.txt on your desktop please navigate to C:\ComboFix.txt and post the report in your next reply.

If you have a RKUnhooker log please post it.

p2p

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.

Step 1.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply please include the following:

ComboFix.txt
RKUnhooker log <---- If available
TDSSKiller log
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


Thanks!!

Edited by pwgib, 04 December 2010 - 07:34 AM.

PW

#7 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 05 December 2010 - 11:52 AM

Hi,

Sorry for the late reply, I was out of town.
Below I've copied the content of the requested logs.
I'm waiting for the next steps.

Thank you,
Bogdan


ComboFix.txt
ComboFix 10-11-24.01 - Mino 25.11.2010 2:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.714 [GMT 2:00]
Running from: c:\documents and settings\Mino\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))
.

2010-11-25 00:00 . 2010-11-25 00:03 -------- d-----w- c:\windows\LastGood.Tmp
2010-11-24 23:52 . 2010-11-24 23:52 388096 ----a-r- c:\documents and settings\Mino\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-11-24 23:51 . 2010-11-24 23:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\documents and settings\Mino\Application Data\Malwarebytes
2010-11-24 23:21 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-24 23:21 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-24_22.40.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-01 21:08 . 2006-12-01 21:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 21:08 . 2006-12-01 21:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-01 20:08 . 2006-12-01 20:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-01 20:26 . 2006-12-01 20:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 21:26 . 2006-12-01 21:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
- 2006-12-01 20:25 . 2006-12-01 20:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 21:25 . 2006-12-01 21:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2001-08-23 12:00 . 2010-11-24 22:45 68360 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-10-31 17:02 68360 c:\windows\system32\perfc009.dat
- 2002-01-04 23:38 . 2002-01-04 23:38 54784 c:\windows\system32\msvci70.dll
+ 2002-01-05 00:38 . 2002-01-05 00:38 54784 c:\windows\system32\msvci70.dll
+ 2010-11-25 00:00 . 2008-01-25 13:40 85520 c:\windows\LastGood.Tmp\system32\DRIVERS\bdfndisf.sys
+ 2006-12-01 19:54 . 2006-12-01 19:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 18:54 . 2006-12-01 18:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-01 18:54 . 2006-12-01 18:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 19:54 . 2006-12-01 19:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-01 18:54 . 2006-12-01 18:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 19:54 . 2006-12-01 19:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2001-08-23 12:00 . 2010-11-24 22:45 435590 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-10-31 17:02 435590 c:\windows\system32\perfh009.dat
- 2003-02-21 00:42 . 2003-02-21 00:42 348160 c:\windows\system32\msvcr71.dll
+ 2003-02-21 01:42 . 2003-02-21 01:42 348160 c:\windows\system32\msvcr71.dll
- 2002-01-04 22:37 . 2002-01-04 22:37 344064 c:\windows\system32\msvcr70.dll
+ 2002-01-04 23:37 . 2002-01-04 23:37 344064 c:\windows\system32\msvcr70.dll
+ 2003-03-18 17:14 . 2003-03-18 17:14 499712 c:\windows\system32\msvcp71.dll
- 2003-03-18 16:14 . 2003-03-18 16:14 499712 c:\windows\system32\msvcp71.dll
- 2002-01-04 23:40 . 2002-01-04 23:40 487424 c:\windows\system32\msvcp70.dll
+ 2002-01-05 00:40 . 2002-01-05 00:40 487424 c:\windows\system32\msvcp70.dll
+ 2002-01-05 00:36 . 2002-01-05 00:36 964608 c:\windows\system32\mfc70u.dll
- 2002-01-04 23:36 . 2002-01-04 23:36 964608 c:\windows\system32\mfc70u.dll
- 2002-01-04 23:48 . 2002-01-04 23:48 974848 c:\windows\system32\mfc70.dll
+ 2002-01-05 00:48 . 2002-01-05 00:48 974848 c:\windows\system32\mfc70.dll
+ 2004-03-31 10:28 . 2004-03-31 10:28 131072 c:\windows\system32\mapi32.dll
- 2004-03-31 09:28 . 2004-03-31 09:28 131072 c:\windows\system32\mapi32.dll
+ 2010-11-25 00:00 . 2008-01-07 15:41 196368 c:\windows\LastGood.Tmp\system32\DRIVERS\bdfsfltr.sys
+ 2006-12-01 21:25 . 2006-12-01 21:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
- 2006-12-01 20:25 . 2006-12-01 20:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 21:25 . 2006-12-01 21:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
- 2006-12-01 20:25 . 2006-12-01 20:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
- 2003-03-18 17:12 . 2003-03-18 17:12 1047552 c:\windows\system32\mfc71u.dll
+ 2003-03-18 18:12 . 2003-03-18 18:12 1047552 c:\windows\system32\mfc71u.dll
+ 2003-03-18 18:20 . 2003-03-18 18:20 1060864 c:\windows\system32\mfc71.dll
- 2003-03-18 17:20 . 2003-03-18 17:20 1060864 c:\windows\system32\mfc71.dll
+ 2010-11-24 23:52 . 2010-11-24 23:52 1093632 c:\windows\Installer\a3645.msi
+ 2010-11-24 23:39 . 2010-11-24 23:39 4218880 c:\windows\Installer\34da8.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"$Volumouse$"="c:\volumouse\volumouse.exe" [2009-08-05 33280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^Mino^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Mino\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mino^Start Menu^Programs^Startup^Rds.lnk]
path=c:\documents and settings\Mino\Start Menu\Programs\Startup\Rds.lnk
backup=c:\windows\pss\Rds.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 14:10 113520 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-12 22:58 205808 ----atw- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2010-08-18 07:53 323584 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 233472 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 00:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-03-16 00:37 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-12-19 03:12 16062464 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Instalate\\Age of Empires II\\SETUPREG.EXE"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\volumouse\\volumouse.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Documents and Settings\\Mino\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe"=
"c:\\Program Files\\Notepad++\\notepad++.exe"=
"c:\\Program Files\\Google\\Picasa3\\PicasaPhotoViewer.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames2.exe"=
"c:\\Documents and Settings\\Mino\\Desktop\\ComboFix.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04.10.2009 20:20 717296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [28.03.2010 11:25 107752]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Mino\LOCALS~1\Temp\DSD28D.tmp --> c:\docume~1\Mino\LOCALS~1\Temp\DSD28D.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\f:\instalate\Garena\plugins\UI\safedrv.sys --> f:\instalate\Garena\plugins\UI\safedrv.sys [?]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [28.08.2010 18:57 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003Core.job
- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-12 22:58]

2010-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003UA.job
- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-12 22:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 111.68.99.22:8080
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mino\Application Data\Mozilla\Firefox\Profiles\69pcy5wu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2008\bdagent.exe
MSConfigStartUp-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2008\IEShow.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Mino\LOCALS~1\Temp\DSD28D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1596)
c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\volumouse\vlmshlp.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-25 02:22:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-25 00:22
ComboFix2.txt 2010-11-24 22:42

Pre-Run: 5.098.156.032 bytes free
Post-Run: 5.192.011.776 bytes free

- - End Of File - - 8689477C8191EB78E013B75A55496C17


RKUnhooker log

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x80622048-->F73DB0E0 [spwv.sys]
ntkrnlpa.exe-->NtEnumerateKey, Type: Address change 0x80622888-->F73F9CA2 [spwv.sys]
ntkrnlpa.exe-->NtEnumerateValueKey, Type: Address change 0x80622AF2-->F73FA030 [spwv.sys]
ntkrnlpa.exe-->NtOpenKey, Type: Address change 0x806233DE-->F73DB0C0 [spwv.sys]
ntkrnlpa.exe-->NtQueryKey, Type: Address change 0x80623702-->F73FA108 [spwv.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x80620102-->F73F9F88 [spwv.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80620708-->F73FA19A [spwv.sys]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x867C47F8 [4] System (Microsoft Corporation, .NET Framework)
0x85941BE0 [348] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java™ Quick Starter Service)
0x85CBC6E8 [616] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x85C096E8 [668] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x85C196E8 [692] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x86557360 [736] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x85BD46E8 [748] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x85F43788 [912] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 197.13)
0x85EDB788 [956] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85EC1788 [1000] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85FC2788 [1096] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85EE7788 [1208] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85EC4788 [1260] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85E5E788 [1440] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x85E30788 [1680] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x85DFE788 [1784] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation, IPoint.exe)
0x862F33B0 [1804] C:\volumouse\volumouse.exe (NirSoft, Volumouse Utility)
0x855A9020 [2012] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x855BA828 [5936] C:\Documents and Settings\Mino\Desktop\MustBeRandomlyNamed\UfsvbNaujrq.exe (UG North, RKULE, SR2 Normandy)
==============================================
>Drivers
==============================================
0xF5379000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10235904 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 197.13 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6434816 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 197.13 )
0xEE56F000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4567040 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF73DA000 PCI_PNP8252 1048576 bytes
0xF73DA000 sptd 1048576 bytes
0xF73DA000 spwv.sys 1048576 bytes
0xF7238000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEE3BC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xEE4C2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB835C000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xF52AF000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8203000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF5241000 C:\WINDOWS\System32\Drivers\ax7bqefy.SYS 225280 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF5278000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xF518C000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF51E8000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7394000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB8427000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF720B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEE42B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB20AB000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE49A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF733E000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF52FA000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF531F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF5342000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEE457000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEE54D000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xEE479000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72EE000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7364000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF71F0000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xEE3A3000 C:\WINDOWS\System32\Drivers\dump_nvata.sys 102400 bytes
0xF730D000 nvata.sys 102400 bytes (NVIDIA Corporation, NVIDIA® nForce™ IDE Performance Driver)
0xF7326000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF73C2000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF72C5000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF522A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB86AB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5365000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEE51A000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF72DC000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7383000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5219000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xEF35F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF779B000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xEF89C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF77AB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF4A9A000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xEF8AC000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF761B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF777B000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF77BB000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75FB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF658D000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF778B000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75EB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF659D000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF77CB000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF656D000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF760B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xEF86C000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xEF36F000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF76DB000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF783B000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF75DB000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF657D000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEF87C000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB84C4000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xEF8BC000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF762B000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xEF88C000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF79D3000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF791B000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF79E3000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF785B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7933000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7923000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79B3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7873000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF79C3000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF790B000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF79CB000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7863000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF79A3000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF799B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF792B000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF789B000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF71B4000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB87EC000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7AC7000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF79EB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEEAAB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xEEAC7000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEEAC3000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7AD7000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xEF1C5000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF2595000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7ADF000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF258D000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF2597000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B0D000 C:\WINDOWS\system32\drivers\gsjlnh.sys 8192 bytes
0xF7ADB000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF2593000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF2591000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B01000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF259B000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7ADD000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7CD6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7CC8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C73000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BA3000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x867671F8 unknown_irp_handler 3592 bytes
0x867681F8 unknown_irp_handler 3592 bytes
0x867DA1F8 unknown_irp_handler 3592 bytes
0x865321F8 unknown_irp_handler 3592 bytes
0x867691F8 unknown_irp_handler 3592 bytes
0x865251F8 unknown_irp_handler 3592 bytes
0x867DB1F8 unknown_irp_handler 3592 bytes
0x858E91F8 unknown_irp_handler 3592 bytes
0x8653E1F8 unknown_irp_handler 3592 bytes
0x858EC1F8 unknown_irp_handler 3592 bytes
0x86590500 unknown_irp_handler 2816 bytes
0x8635B500 unknown_irp_handler 2816 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
==============================================
>Files
==============================================
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
!-->[Hidden] C:\System Volume Information\_restore{EBE37C54-148F-474D-BFEA-9DD59F666744}\RP3\A0000447.exe
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002CB10, Type: Inline - RelativeCall 0x80503B10-->84F73FA1 [unknown_code_page]
ntkrnlpa.exe+0x0006DC5E, Type: Inline - RelativeJump 0x80544C5E-->80544C65 [ntkrnlpa.exe]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

TDSSKiller_2.4.1.0_05.12.2010_18.36.47.log


2010/12/05 18:36:47.0140 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/12/05 18:36:47.0140 ================================================================================
2010/12/05 18:36:47.0140 SystemInfo:
2010/12/05 18:36:47.0140
2010/12/05 18:36:47.0140 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/05 18:36:47.0140 Product type: Workstation
2010/12/05 18:36:47.0140 ComputerName: M
2010/12/05 18:36:47.0140 UserName: Mino
2010/12/05 18:36:47.0140 Windows directory: C:\WINDOWS
2010/12/05 18:36:47.0140 System windows directory: C:\WINDOWS
2010/12/05 18:36:47.0140 Processor architecture: Intel x86
2010/12/05 18:36:47.0140 Number of processors: 2
2010/12/05 18:36:47.0140 Page size: 0x1000
2010/12/05 18:36:47.0140 Boot type: Normal boot
2010/12/05 18:36:47.0140 ================================================================================
2010/12/05 18:36:47.0734 Initialize success
2010/12/05 18:37:09.0593 ================================================================================
2010/12/05 18:37:09.0593 Scan started
2010/12/05 18:37:09.0593 Mode: Manual;
2010/12/05 18:37:09.0593 ================================================================================
2010/12/05 18:37:09.0937 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/05 18:37:09.0968 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/05 18:37:10.0000 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/05 18:37:10.0046 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/05 18:37:10.0125 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/05 18:37:10.0140 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/05 18:37:10.0156 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/05 18:37:10.0187 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/05 18:37:10.0218 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/05 18:37:10.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/05 18:37:10.0265 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/05 18:37:10.0281 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/05 18:37:10.0312 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/05 18:37:10.0375 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/05 18:37:10.0421 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/05 18:37:10.0468 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/05 18:37:10.0468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/05 18:37:10.0515 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/05 18:37:10.0531 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/05 18:37:10.0546 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/05 18:37:10.0562 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/05 18:37:10.0578 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/05 18:37:10.0593 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/05 18:37:10.0609 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/05 18:37:10.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/05 18:37:10.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/05 18:37:10.0812 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/05 18:37:10.0843 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/05 18:37:10.0859 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/05 18:37:10.0890 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
2010/12/05 18:37:10.0921 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/05 18:37:10.0968 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/05 18:37:10.0984 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/05 18:37:11.0125 IntcAzAudAddService (001aaca6ed0e6b00fc5b8faf74977e81) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/05 18:37:11.0171 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/05 18:37:11.0187 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/05 18:37:11.0218 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/05 18:37:11.0218 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/05 18:37:11.0234 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/05 18:37:11.0250 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/05 18:37:11.0281 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/05 18:37:11.0296 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/05 18:37:11.0312 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/05 18:37:11.0328 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/05 18:37:11.0343 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/05 18:37:11.0359 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/05 18:37:11.0390 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/05 18:37:11.0406 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/05 18:37:11.0421 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/05 18:37:11.0437 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/05 18:37:11.0453 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/05 18:37:11.0468 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/05 18:37:11.0500 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/05 18:37:11.0531 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/05 18:37:11.0546 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/05 18:37:11.0562 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/05 18:37:11.0578 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/05 18:37:11.0593 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/05 18:37:11.0609 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/05 18:37:11.0640 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/05 18:37:11.0656 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/05 18:37:11.0671 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/05 18:37:11.0671 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/05 18:37:11.0687 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/05 18:37:11.0703 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/05 18:37:11.0734 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/05 18:37:11.0750 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/05 18:37:11.0781 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/05 18:37:12.0031 nv (cd9ed87b4fc6ec41d3b5be0b923843fc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/05 18:37:12.0296 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/12/05 18:37:12.0312 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/12/05 18:37:12.0312 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/12/05 18:37:12.0343 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/05 18:37:12.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/05 18:37:12.0375 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/05 18:37:12.0390 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/05 18:37:12.0406 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/05 18:37:12.0437 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/05 18:37:12.0437 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/05 18:37:12.0468 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/05 18:37:12.0515 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/12/05 18:37:12.0531 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/05 18:37:12.0546 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/05 18:37:12.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/05 18:37:12.0578 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/05 18:37:12.0625 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/05 18:37:12.0640 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/05 18:37:12.0656 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/05 18:37:12.0656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/05 18:37:12.0687 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/05 18:37:12.0703 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/05 18:37:12.0750 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/05 18:37:12.0812 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/05 18:37:12.0828 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/05 18:37:12.0890 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/05 18:37:12.0906 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/05 18:37:12.0953 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/05 18:37:13.0000 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/05 18:37:13.0062 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
2010/12/05 18:37:13.0062 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
2010/12/05 18:37:13.0062 sptd - detected Locked file (1)
2010/12/05 18:37:13.0062 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/05 18:37:13.0078 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/05 18:37:13.0093 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/05 18:37:13.0125 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/05 18:37:13.0171 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/05 18:37:13.0203 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/05 18:37:13.0218 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/05 18:37:13.0234 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/05 18:37:13.0281 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/05 18:37:13.0312 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/05 18:37:13.0343 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/05 18:37:13.0406 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/05 18:37:13.0421 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/05 18:37:13.0437 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/05 18:37:13.0437 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/05 18:37:13.0468 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/05 18:37:13.0484 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/05 18:37:13.0515 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/05 18:37:13.0531 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/05 18:37:13.0562 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/12/05 18:37:13.0625 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/05 18:37:13.0687 ================================================================================
2010/12/05 18:37:13.0687 Scan finished
2010/12/05 18:37:13.0687 ================================================================================
2010/12/05 18:37:13.0687 Detected object count: 1
2010/12/05 18:37:20.0765 Locked file(sptd) - User select action: Skip


OTL report


OTL logfile created on: 05.12.2010 18:38:04 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mino\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

1.023,00 Mb Total Physical Memory | 752,00 Mb Available Physical Memory | 73,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,39 Gb Total Space | 4,27 Gb Free Space | 14,52% Space Free | Partition Type: NTFS
Drive D: | 146,63 Gb Total Space | 1,65 Gb Free Space | 1,13% Space Free | Partition Type: NTFS
Drive E: | 49,81 Gb Total Space | 3,27 Gb Free Space | 6,56% Space Free | Partition Type: NTFS
Drive F: | 49,80 Gb Total Space | 3,77 Gb Free Space | 7,56% Space Free | Partition Type: NTFS
Drive G: | 22,46 Gb Total Space | 0,09 Gb Free Space | 0,42% Space Free | Partition Type: NTFS

Computer Name: M | User Name: Mino | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
PRC - [2010.12.05 18:35:18 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Mino\Local Settings\temp\winkqpgi.exe
PRC - [2009.08.05 20:12:04 | 000,033,280 | ---- | M] (NirSoft) -- C:\volumouse\volumouse.exe
PRC - [2004.08.03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
MOD - [2009.08.05 20:11:32 | 000,008,704 | ---- | M] (NirSoft) -- C:\volumouse\vlmshlp.dll
MOD - [2004.08.03 23:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009.09.03 10:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009.07.26 05:43:14 | 000,107,752 | ---- | M] (BioWare) [On_Demand | Stopped] -- D:\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDRm.sys -- (InCDRm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDPass.sys -- (InCDPass)
DRV - File not found [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\InCDFs.sys -- (InCDFs)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Instalate\Garena\plugins\UI\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Mino\LOCALS~1\Temp\DSD28D.tmp -- (GarenaPEngine)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\gsjlnh.sys -- (abp470n5)
DRV - [2010.03.16 08:51:59 | 010,232,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.10.04 20:20:01 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.06.09 23:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2006.12.21 10:26:00 | 004,405,248 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006.04.24 11:52:28 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006.02.17 05:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006.02.17 05:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005.01.07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1614895754-746137067-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.ro/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..network.proxy.http: "125.167.193.41"
FF - prefs.js..network.proxy.http_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.09.14 00:04:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.02.05 19:05:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2008\tbextension

[2009.09.14 00:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mino\Application Data\Mozilla\Extensions
[2009.09.15 01:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mino\Application Data\Mozilla\Firefox\Profiles\69pcy5wu.default\extensions
[2010.05.01 21:43:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.05.01 19:41:14 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2010.11.25 02:20:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-1614895754-746137067-725345543-1003..\Run: [$Volumouse$] C:\volumouse\volumouse.exe (NirSoft)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.09.13 21:52:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.12.05 18:36:41 | 001,266,000 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mino\Desktop\TDSSKiller.exe
[2010.12.05 18:36:07 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
[2010.11.28 21:43:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Desktop\MustBeRandomlyNamed
[2010.11.28 21:43:06 | 000,719,574 | ---- | C] (UG North ) -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.exe
[2010.11.28 00:55:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010.11.25 02:51:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Desktop\gmer
[2010.11.25 02:19:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010.11.25 02:16:17 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010.11.25 02:04:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Local Settings
[2010.11.25 02:00:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010.11.25 01:52:49 | 000,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010.11.25 01:51:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010.11.25 01:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Application Data\Malwarebytes
[2010.11.25 01:21:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.11.25 01:21:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.11.25 01:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.11.25 01:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.11.25 00:36:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.11.25 00:36:18 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.11.25 00:36:18 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.11.25 00:36:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.11.25 00:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.11.25 00:31:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.11.25 00:31:19 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Mino\Desktop\spybotsd162.exe
[2010.11.25 00:31:19 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mino\Desktop\mbam-setup.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
[2010.12.05 18:35:22 | 001,130,629 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\tdsskiller.zip
[2010.12.05 18:30:49 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.12.05 18:30:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.12.05 18:30:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.12.02 16:09:00 | 000,001,178 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003UA.job
[2010.12.02 15:02:22 | 000,119,808 | ---- | M] () -- C:\Documents and Settings\Mino\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.12.02 13:27:02 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Attach_20101202.zip
[2010.12.02 13:26:54 | 000,001,894 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\gmer_20101202.zip
[2010.12.02 06:09:00 | 000,001,126 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003Core.job
[2010.12.02 04:15:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\WakeMeUP.INI
[2010.12.02 03:48:05 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\its-dangerous-to-go-alone1.jpg
[2010.12.02 03:22:05 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.12.02 03:19:32 | 000,000,038 | ---- | M] () -- C:\WINDOWS\avisplitter.INI
[2010.12.02 02:55:28 | 000,019,570 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\mirror-high-five.jpg
[2010.12.02 02:55:14 | 000,035,062 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\broke-back-mountain2.jpg
[2010.12.02 02:55:02 | 000,022,316 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\fact.jpg
[2010.12.01 16:54:51 | 000,150,837 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\laziness_or_genius.jpg
[2010.12.01 00:50:38 | 000,037,353 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\birthday-thanks-facebook-wall.png
[2010.11.28 22:48:53 | 000,063,805 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\dexter.s05e09.hdtv.xvid-fever.srt
[2010.11.28 22:46:26 | 577,327,684 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\dexter.s05e09.hdtv.xvid-fever.avi
[2010.11.28 21:42:45 | 000,629,057 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.rar
[2010.11.27 13:19:16 | 000,047,137 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\christmas.jpg
[2010.11.25 02:49:07 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\gmer.zip
[2010.11.25 02:47:27 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\dds.scr
[2010.11.25 02:20:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.11.25 02:00:36 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010.11.25 01:52:58 | 000,002,551 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\HiJackThis.lnk
[2010.11.25 01:28:28 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010.11.25 01:21:37 | 000,000,524 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Shortcut to regedit.exe.lnk
[2010.11.25 01:21:13 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.11.25 00:45:29 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.11.25 00:45:29 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.11.25 00:29:52 | 027,146,536 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\malware_removal.rar
[2010.11.25 00:27:22 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Mino\Desktop\spybotsd162.exe
[2010.11.25 00:24:24 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\HijackThis.msi
[2010.11.25 00:22:47 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mino\Desktop\mbam-setup.exe
[2010.11.25 00:12:50 | 003,992,695 | R--- | M] () -- C:\Documents and Settings\Mino\Desktop\ComboFix.exe
[2010.11.22 02:10:13 | 000,000,602 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Age of Empires II.lnk
[2010.11.21 20:11:52 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2010.11.09 23:19:44 | 000,028,514 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\sex.jpg
[2010.11.08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.12.05 18:35:21 | 001,130,629 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\tdsskiller.zip
[2010.12.02 13:27:02 | 000,002,453 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Attach_20101202.zip
[2010.12.02 13:26:54 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\gmer_20101202.zip
[2010.12.02 03:48:14 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\its-dangerous-to-go-alone1.jpg
[2010.12.02 02:55:32 | 000,019,570 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\mirror-high-five.jpg
[2010.12.02 02:55:22 | 000,035,062 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\broke-back-mountain2.jpg
[2010.12.02 02:55:05 | 000,022,316 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\fact.jpg
[2010.12.01 16:55:00 | 000,150,837 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\laziness_or_genius.jpg
[2010.12.01 00:50:42 | 000,037,353 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\birthday-thanks-facebook-wall.png
[2010.11.28 22:48:54 | 000,063,805 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\dexter.s05e09.hdtv.xvid-fever.srt
[2010.11.28 22:46:26 | 577,327,684 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\dexter.s05e09.hdtv.xvid-fever.avi
[2010.11.28 21:42:49 | 000,629,057 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.rar
[2010.11.27 13:19:15 | 000,047,137 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\christmas.jpg
[2010.11.25 02:49:08 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\gmer.zip
[2010.11.25 02:47:28 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\dds.scr
[2010.11.25 01:52:49 | 000,002,551 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\HiJackThis.lnk
[2010.11.25 01:21:37 | 000,000,524 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Shortcut to regedit.exe.lnk
[2010.11.25 01:21:13 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.11.25 00:36:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.11.25 00:36:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.11.25 00:36:18 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.11.25 00:36:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.11.25 00:36:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.11.25 00:31:19 | 003,992,695 | R--- | C] () -- C:\Documents and Settings\Mino\Desktop\ComboFix.exe
[2010.11.25 00:31:19 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\HijackThis.msi
[2010.11.25 00:30:49 | 027,146,536 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\malware_removal.rar
[2010.11.22 02:09:46 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Age of Empires II.lnk
[2010.11.09 23:19:53 | 000,028,514 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\sex.jpg
[2010.03.27 15:54:14 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010.01.10 01:19:28 | 000,076,344 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009.10.22 17:17:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.10.04 20:20:01 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.09.22 23:22:46 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2009.09.15 00:40:37 | 000,119,808 | ---- | C] () -- C:\Documents and Settings\Mino\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.09.15 00:27:31 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.09.15 00:27:27 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.09.15 00:27:27 | 000,612,864 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009.09.15 00:27:27 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.09.15 00:27:26 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.09.15 00:27:24 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.09.14 01:10:22 | 000,000,302 | ---- | C] () -- C:\WINDOWS\WakeMeUP.INI
[2009.09.14 00:39:27 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009.09.13 22:59:53 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2004.08.03 23:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004.07.17 10:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003.01.07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >


Extras.txt


OTL Extras logfile created on: 05.12.2010 18:38:04 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mino\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

1.023,00 Mb Total Physical Memory | 752,00 Mb Available Physical Memory | 73,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,39 Gb Total Space | 4,27 Gb Free Space | 14,52% Space Free | Partition Type: NTFS
Drive D: | 146,63 Gb Total Space | 1,65 Gb Free Space | 1,13% Space Free | Partition Type: NTFS
Drive E: | 49,81 Gb Total Space | 3,27 Gb Free Space | 6,56% Space Free | Partition Type: NTFS
Drive F: | 49,80 Gb Total Space | 3,77 Gb Free Space | 7,56% Space Free | Partition Type: NTFS
Drive G: | 22,46 Gb Total Space | 0,09 Gb Free Space | 0,42% Space Free | Partition Type: NTFS

Computer Name: M | User Name: Mino | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\Instalate\Age of Empires II\SETUPREG.EXE" = F:\Instalate\Age of Empires II\SETUPREG.EXE:*:Enabled:ipsec -- ()
"C:\Program Files\Winamp\winamp.exe" = C:\Program Files\Winamp\winamp.exe:*:Enabled:ipsec -- (Nullsoft)
"C:\volumouse\volumouse.exe" = C:\volumouse\volumouse.exe:*:Enabled:ipsec -- (NirSoft)
"C:\Program Files\DAEMON Tools Lite\daemon.exe" = C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:ipsec -- (DT Soft Ltd)
"C:\WINDOWS\system32\netsh.exe" = C:\WINDOWS\system32\netsh.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\Program Files\Notepad++\notepad++.exe" = C:\Program Files\Notepad++\notepad++.exe:*:Enabled:ipsec -- (Don HO don.h@free.fr)
"C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe" = C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe:*:Enabled:ipsec -- (Google Inc.)
"C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe" = C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe:*:Enabled:ipsec -- (Skype Technologies S.A.)
"C:\Documents and Settings\Mino\Desktop\ComboFix.exe" = C:\Documents and Settings\Mino\Desktop\ComboFix.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe:*:Enabled:ipsec -- File not found
"C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:ipsec -- (Google Inc.)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe:*:Enabled:ipsec -- File not found
"C:\Program Files\K-Lite Codec Pack\Filters\divxsm.exe" = C:\Program Files\K-Lite Codec Pack\Filters\divxsm.exe:*:Enabled:ipsec -- (DivX Inc.)
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe:*:Enabled:ipsec -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe:*:Enabled:ipsec -- File not found
"C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe" = C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe:*:Enabled:ipsec -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{5A438E06-0BB3-4C5F-0085-B14F1F4077E6}" = FIFA 07
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6C117F31-28A8-4477-BE91-64AC0A2204AD}" = Microsoft IntelliPoint 6.01
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{84B2CF01-194D-2284-B313-F2E0D78D1033}" = Nero 7 Demo
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DB249302-FB94-4578-84FE-7B856C315779}" = HTC Sync
"{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1" = Rootkit Unhooker LE 3.8 SR 2
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F69FD33C-8815-46BF-9134-A643DE68F3C0}" = WinFast® Display Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BSPlayerf" = BS.Player FREE
"Buddy Spy_is1" = Buddy Spy 2.2.19
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Garena" = Garena
"InstallShield_{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.7.5 Full
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Picasa 3" = Picasa 3
"StrongDC++_is1" = StrongDC++ 1.00 RC10 cvs105
"VLC media player" = VLC media player 1.0.1
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18.10.2010 10:36:28 | Computer Name = M | Source = Application Hang | ID = 1002
Description = Hanging application bsplayer.exe, version 2.4.3.1008, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 21.10.2010 16:06:26 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application strongdc.exe, version 0.6.7.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 31.10.2010 14:34:36 | Computer Name = M | Source = Application Hang | ID = 1002
Description = Hanging application bsplayer.exe, version 2.4.3.1008, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11.11.2010 04:12:30 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.3.5.1305, faulting module
gen_jumpex.dll, version 0.0.0.0, fault address 0x00002b79.

Error - 11.11.2010 04:12:35 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 12.11.2010 12:15:55 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 15.11.2010 13:08:48 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 16.11.2010 17:30:37 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x0006a5e4.

Error - 19.11.2010 12:56:40 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 19.11.2010 17:26:27 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application strongdc.exe, version 0.6.7.0, faulting module
strongdc.exe, version 0.6.7.0, fault address 0x000e93d5.

[ OSession Events ]
Error - 09.02.2010 16:00:25 | Computer Name = M | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 6560
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 24.11.2010 20:19:06 | Computer Name = M | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ABP470N5\0000 disappeared from the system without
first being prepared for removal.

Error - 24.11.2010 22:03:01 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 28.11.2010 14:49:56 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 13:18:18 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 14:05:30 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'RTLCPL.exe' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 20:17:40 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CCleaner 1.40.520.exe' on the volume 'HarddiskVolume5'.
It has stopped monitoring the volume.

Error - 30.11.2010 13:49:54 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 01.12.2010 14:02:17 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 01.12.2010 14:30:39 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'OPNET.Mode .. er-FFS.exe' on the volume 'HarddiskVolume5'.
It has stopped monitoring the volume.

Error - 02.12.2010 08:07:26 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.


< End of report >

#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 06 December 2010 - 10:22 AM

Hi bminoiu,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case µTorrent). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.

Did you set either of these proxy servers. The one in FireFox resolves to PT TELKOM INDONESIA
The second one in Internet Explorer resolves to Pakistan Islamabad Pern-pakistan Education & Research Network
FF - prefs.js..network.proxy.http: "125.167.193.41"
111.68.99.22:8080

Step 1.

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

    C:\Documents and Settings\Mino\Desktop\sex.jpg

    If the file has been analyzed before, click the Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

    Step 2.

    Disable Emulation Drivers

    I see you have Daemon Tools installed which can interfere with any tools we use and cause false readings. We can disable emulation but I need you to please not use the program while we are cleaning your computer. It may be necessary to temporarily uninstall the program.

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

    Step 3.

    We need to run an OTL Fix
    • Please reopen Posted Image on your desktop.
    • Copy and Paste the following code into the Posted Image textbox.

      :OTL
      PRC - [2010.12.05 18:35:18 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Mino\Local Settings\temp\winkqpgi.exe
      DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Instalate\Garena\plugins\UI\safedrv.sys -- (GGSAFERDriver)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Mino\LOCALS~1\Temp\DSD28D.tmp -- (GarenaPEngine)
      DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\gsjlnh.sys -- (abp470n5)
      O3 - HKLM\..\Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - No CLSID value found.
      O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
      O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
      O34 - HKLM BootExecute: (autocheck autochk *) - File not found
      
      :reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
      "FirstRunDisabled"=-
      "AntiVirusOverride"=-
      "FirewallOverride"=-
      "AntiVirusDisableNotify"=-
      "FirewallDisableNotify"=-
      "UpdatesDisableNotify"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
      "AntiVirusOverride"=-
      "AntiVirusDisableNotify"=-
      "FirewallDisableNotify"=-
      "FirewallOverride"=-
      "UpdatesDisableNotify"=-
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
      "EnableFirewall"=-
      "DoNotAllowExceptions"=-
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
      "EnableFirewall"=-
      
      :Services
      GarenaPEngine
      GGSAFER Driver
      
      
      :commands
      [EmptyTemp]
      
    • Push Posted Image
    • OTL may ask to reboot the machine. Please do so if asked.
    • Click Posted Image.
    • A report will open. Copy and Paste that report in your next reply.


    ================================OTL Follow up scan=================================

    Please read the directions carefully as they have changed from the last scan.

    We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • In the Extra Registry box make sure that Use Safelist is checked.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTList.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Step 4.

I need to see fresh logs from RKUnhooker and TDSSKiller

Please re-run both and post the logs in your next reply.


In your next reply please answer my question about the proxy servers and include the following:

VirusTotal scan results
OTL Fix report
OTList.txt <-- Will be opened
Extra.txt <-- Will be minimized
Fresh RKUnhooker report
Fresh TDSSKiller report


Thanks!!
PW

#9 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 06 December 2010 - 02:13 PM

Hi,

Yes, I have previously played with the settings for the proxies for IE and Firefox. I was trying to emulate a new IP on a site where it was allowed to have 1 vote per day/per IP. Since I am not using these browsers (I'm using Google Chrome), I forgot to remove the proxies.

I tried step 1, but the virustotal site was blocked (similar to kaspersky, bitdefender - see my initial post).
I ran step 2, then tried step 1 again and it was successfull. All the logs requested are pasted below.
Note: On the first attempt to scan with RkUh, I got a bluescreen and the computer got rebooted(I didn't have time to see the bluescreen error). It ran without problems after reboot.

Some of the symptoms are gone: I have Taskmanager and RegistryTools back available.
What are the next steps to assure the infection is gone?

Thanks a lot,
Bogdan

Virustotal:

ntivirus Version Last Update Result
AhnLab-V3 2010.12.06.01 2010.12.06 -
AntiVir 7.10.14.201 2010.12.06 -
Antiy-AVL 2.0.3.7 2010.12.06 -
Avast 4.8.1351.0 2010.12.06 -
Avast5 5.0.677.0 2010.12.06 -
AVG 9.0.0.851 2010.12.06 -
BitDefender 7.2 2010.12.06 -
CAT-QuickHeal 11.00 2010.12.06 -
ClamAV 0.96.4.0 2010.12.06 -
Command 5.2.11.5 2010.12.06 -
Comodo 6970 2010.12.06 -
DrWeb 5.0.2.03300 2010.12.06 -
Emsisoft 5.0.0.50 2010.12.06 -
eSafe 7.0.17.0 2010.12.05 -
eTrust-Vet 36.1.8018 2010.12.05 -
F-Prot 4.6.2.117 2010.12.06 -
F-Secure 9.0.16160.0 2010.12.06 -
Fortinet 4.2.254.0 2010.12.06 -
GData 21 2010.12.06 -
Ikarus T3.1.1.90.0 2010.12.06 -
Jiangmin 13.0.900 2010.12.06 -
K7AntiVirus 9.70.3174 2010.12.06 -
Kaspersky 7.0.0.125 2010.12.06 -
McAfee 5.400.0.1158 2010.12.06 -
McAfee-GW-Edition 2010.1C 2010.12.06 -
Microsoft 1.6402 2010.12.06 -
NOD32 5679 2010.12.06 -
Norman 6.06.10 2010.12.06 -
nProtect 2010-12-06.01 2010.12.06 -
Panda 10.0.2.7 2010.12.06 -
PCTools 7.0.3.5 2010.12.06 -
Prevx 3.0 2010.12.06 -
Rising 22.76.06.04 2010.12.06 -
Sophos 4.60.0 2010.12.06 -
SUPERAntiSpyware 4.40.0.1006 2010.12.06 -
Symantec 20101.2.0.161 2010.12.06 -
TheHacker 6.7.0.1.096 2010.12.06 -
TrendMicro 9.120.0.1004 2010.12.06 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.06 -
VBA32 3.12.14.2 2010.12.06 -
VIPRE 7535 2010.12.06 -
ViRobot 2010.12.6.4187 2010.12.06 -
VirusBuster 13.6.76.0 2010.12.06 -
Additional informationShow all
MD5 : a26bc33b150a95e77dbfeb0798d35cb1
SHA1 : fb91ea4d544bc52a1f8254c30149b6f8450c1210
SHA256: d7141811ad90b2326c7aa4dbb16f92b84e874fa212be1776eaff450de9a7e608
ssdeep: 768:SioYB6NV2Qufnx2jTNhgjkBakuyWexMqWR5:SyBoVDUnx2NAkBakubjL
File size : 28514 bytes
First seen: 2010-12-06 18:36:33
Last seen : 2010-12-06 18:36:33
TrID:
JFIF JPEG Bitmap (50.0%)
JPEG Bitmap (37.4%)
MP3 audio (12.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ExifTool:
file metadata
BitsPerSample: 8
ColorComponents: 3
Comment: CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 90

EncodingProcess: Baseline DCT, Huffman coding
FileSize: 28 kB
FileType: JPEG
ImageHeight: 272
ImageSize: 600x272
ImageWidth: 600
JFIFVersion: 1.01
MIMEType: image/jpeg
ResolutionUnit: None
XResolution: 1
YCbCrSubSampling: YCbCr4:2:0 (2 2)
YResolution: 1

OTL_12062010_202830.txt

All processes killed
========== OTL ==========
No active process named winkqpgi.exe was found!
Service GGSAFERDriver stopped successfully!
Service GGSAFERDriver deleted successfully!
File F:\Instalate\Garena\plugins\UI\safedrv.sys not found.
Service GarenaPEngine stopped successfully!
Service GarenaPEngine deleted successfully!
File C:\DOCUME~1\Mino\LOCALS~1\Temp\DSD28D.tmp not found.
Service abp470n5 stopped successfully!
Service abp470n5 deleted successfully!
File C:\WINDOWS\System32\drivers\gsjlnh.sys not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{381FFDE8-2394-4f90-B10D-FC6124A40F8C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381FFDE8-2394-4f90-B10D-FC6124A40F8C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\FirewallDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\FirewallOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\UpdatesDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions deleted successfully.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile not found.
========== SERVICES/DRIVERS ==========
Error: No service named GarenaPEngine was found to stop!
Service\Driver key GarenaPEngine not found.
Error: No service named GGSAFER Driver was found to stop!
Service\Driver key GGSAFER Driver not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
->Temp folder emptied: 6842310 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Mino
->Temp folder emptied: 1322523 bytes
->Temporary Internet Files folder emptied: 1610225 bytes
->Java cache emptied: 7171203 bytes
->FireFox cache emptied: 171559319 bytes
->Google Chrome cache emptied: 219715735 bytes
->Flash cache emptied: 161885 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2343418 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 392,00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12062010_202830

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


OTL_2010_12_06.txt

OTL logfile created on: 06.12.2010 20:42:01 - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mino\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

1.023,00 Mb Total Physical Memory | 771,00 Mb Available Physical Memory | 75,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 95,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,39 Gb Total Space | 5,20 Gb Free Space | 17,71% Space Free | Partition Type: NTFS
Drive D: | 146,63 Gb Total Space | 4,12 Gb Free Space | 2,81% Space Free | Partition Type: NTFS
Drive E: | 49,81 Gb Total Space | 3,27 Gb Free Space | 6,56% Space Free | Partition Type: NTFS
Drive F: | 49,80 Gb Total Space | 3,77 Gb Free Space | 7,56% Space Free | Partition Type: NTFS
Drive G: | 22,46 Gb Total Space | 0,09 Gb Free Space | 0,42% Space Free | Partition Type: NTFS

Computer Name: M | User Name: Mino | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
PRC - [2009.08.05 20:12:04 | 000,033,280 | ---- | M] (NirSoft) -- C:\volumouse\volumouse.exe
PRC - [2004.08.03 23:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
MOD - [2009.08.05 20:11:32 | 000,008,704 | ---- | M] (NirSoft) -- C:\volumouse\vlmshlp.dll
MOD - [2004.08.03 23:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009.09.03 10:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009.07.26 05:43:14 | 000,107,752 | ---- | M] (BioWare) [On_Demand | Stopped] -- D:\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDRm.sys -- (InCDRm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDPass.sys -- (InCDPass)
DRV - File not found [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\InCDFs.sys -- (InCDFs)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010.03.16 08:51:59 | 010,232,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009.10.04 20:20:01 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.06.09 23:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2006.12.21 10:26:00 | 004,405,248 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006.04.24 11:52:28 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006.02.17 05:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006.02.17 05:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005.01.07 16:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1614895754-746137067-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.ro/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..network.proxy.http: "125.167.193.41"
FF - prefs.js..network.proxy.http_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009.09.14 00:04:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.02.05 19:05:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2008\tbextension

[2009.09.14 00:04:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mino\Application Data\Mozilla\Extensions
[2009.09.15 01:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mino\Application Data\Mozilla\Firefox\Profiles\69pcy5wu.default\extensions
[2010.05.01 21:43:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.05.01 19:41:14 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2010.11.25 02:20:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-1614895754-746137067-725345543-1003..\Run: [$Volumouse$] C:\volumouse\volumouse.exe (NirSoft)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.09.13 21:52:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.12.06 20:28:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2010.12.05 18:36:41 | 001,266,000 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Mino\Desktop\TDSSKiller.exe
[2010.12.05 18:36:07 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
[2010.11.28 21:43:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Desktop\MustBeRandomlyNamed
[2010.11.28 21:43:06 | 000,719,574 | ---- | C] (UG North ) -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.exe
[2010.11.28 00:55:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010.11.25 02:51:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Desktop\gmer
[2010.11.25 02:19:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010.11.25 02:16:17 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010.11.25 02:04:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Local Settings
[2010.11.25 02:00:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010.11.25 01:52:49 | 000,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010.11.25 01:51:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010.11.25 01:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mino\Application Data\Malwarebytes
[2010.11.25 01:21:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010.11.25 01:21:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010.11.25 01:21:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010.11.25 01:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010.11.25 00:36:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010.11.25 00:36:18 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010.11.25 00:36:18 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010.11.25 00:36:18 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010.11.25 00:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010.11.25 00:31:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010.11.25 00:31:19 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Mino\Desktop\spybotsd162.exe
[2010.11.25 00:31:19 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mino\Desktop\mbam-setup.exe

========== Files - Modified Within 30 Days ==========

[2010.12.06 20:29:56 | 000,276,202 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010.12.06 20:29:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.12.06 20:24:57 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Mino\defogger_reenable
[2010.12.06 20:24:21 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Defogger.exe
[2010.12.06 20:12:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.12.06 07:09:00 | 000,001,178 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003UA.job
[2010.12.06 06:09:00 | 000,001,126 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003Core.job
[2010.12.06 04:40:42 | 000,000,302 | ---- | M] () -- C:\WINDOWS\WakeMeUP.INI
[2010.12.06 03:53:50 | 000,054,600 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\life_is_too_short_too_listen_to_bad_music.jpg
[2010.12.06 03:47:33 | 000,121,856 | ---- | M] () -- C:\Documents and Settings\Mino\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.12.06 00:56:21 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010.12.06 00:55:54 | 000,000,570 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Diablo II.lnk
[2010.12.05 22:22:38 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.12.05 18:36:07 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mino\Desktop\OTL.exe
[2010.12.05 18:35:22 | 001,130,629 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\tdsskiller.zip
[2010.12.02 13:27:02 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Attach_20101202.zip
[2010.12.02 13:26:54 | 000,001,894 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\gmer_20101202.zip
[2010.12.02 03:48:05 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\its-dangerous-to-go-alone1.jpg
[2010.12.02 03:19:32 | 000,000,038 | ---- | M] () -- C:\WINDOWS\avisplitter.INI
[2010.12.02 02:55:28 | 000,019,570 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\mirror-high-five.jpg
[2010.12.02 02:55:14 | 000,035,062 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\broke-back-mountain2.jpg
[2010.12.02 02:55:02 | 000,022,316 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\fact.jpg
[2010.12.01 16:54:51 | 000,150,837 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\laziness_or_genius.jpg
[2010.12.01 00:50:38 | 000,037,353 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\birthday-thanks-facebook-wall.png
[2010.11.28 21:42:45 | 000,629,057 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.rar
[2010.11.27 13:19:16 | 000,047,137 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\christmas.jpg
[2010.11.25 02:49:07 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\gmer.zip
[2010.11.25 02:47:27 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\dds.scr
[2010.11.25 02:20:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.11.25 02:00:36 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010.11.25 01:52:58 | 000,002,551 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\HiJackThis.lnk
[2010.11.25 01:28:28 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010.11.25 01:21:37 | 000,000,524 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Shortcut to regedit.exe.lnk
[2010.11.25 01:21:13 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.11.25 00:45:29 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.11.25 00:45:29 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.11.25 00:29:52 | 027,146,536 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\malware_removal.rar
[2010.11.25 00:27:22 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Mino\Desktop\spybotsd162.exe
[2010.11.25 00:24:24 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\HijackThis.msi
[2010.11.25 00:22:47 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mino\Desktop\mbam-setup.exe
[2010.11.25 00:12:50 | 003,992,695 | R--- | M] () -- C:\Documents and Settings\Mino\Desktop\ComboFix.exe
[2010.11.22 02:10:13 | 000,000,602 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\Age of Empires II.lnk
[2010.11.21 20:11:52 | 000,081,984 | ---- | M] () -- C:\WINDOWS\System32\bdod.bin
[2010.11.09 23:19:44 | 000,028,514 | ---- | M] () -- C:\Documents and Settings\Mino\Desktop\sex.jpg
[2010.11.08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe

========== Files Created - No Company Name ==========

[2010.12.06 20:24:49 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Mino\defogger_reenable
[2010.12.06 20:24:23 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Defogger.exe
[2010.12.06 03:54:16 | 000,054,600 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\life_is_too_short_too_listen_to_bad_music.jpg
[2010.12.06 00:55:05 | 000,000,570 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Diablo II.lnk
[2010.12.05 23:54:35 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010.12.05 18:35:21 | 001,130,629 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\tdsskiller.zip
[2010.12.02 13:27:02 | 000,002,453 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Attach_20101202.zip
[2010.12.02 13:26:54 | 000,001,894 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\gmer_20101202.zip
[2010.12.02 03:48:14 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\its-dangerous-to-go-alone1.jpg
[2010.12.02 02:55:32 | 000,019,570 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\mirror-high-five.jpg
[2010.12.02 02:55:22 | 000,035,062 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\broke-back-mountain2.jpg
[2010.12.02 02:55:05 | 000,022,316 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\fact.jpg
[2010.12.01 16:55:00 | 000,150,837 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\laziness_or_genius.jpg
[2010.12.01 00:50:42 | 000,037,353 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\birthday-thanks-facebook-wall.png
[2010.11.28 21:42:49 | 000,629,057 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\RkU3.8.388.590.rar
[2010.11.27 13:19:15 | 000,047,137 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\christmas.jpg
[2010.11.25 02:49:08 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\gmer.zip
[2010.11.25 02:47:28 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\dds.scr
[2010.11.25 01:52:49 | 000,002,551 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\HiJackThis.lnk
[2010.11.25 01:21:37 | 000,000,524 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Shortcut to regedit.exe.lnk
[2010.11.25 01:21:13 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010.11.25 00:36:18 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010.11.25 00:36:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010.11.25 00:36:18 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010.11.25 00:36:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010.11.25 00:36:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010.11.25 00:31:19 | 003,992,695 | R--- | C] () -- C:\Documents and Settings\Mino\Desktop\ComboFix.exe
[2010.11.25 00:31:19 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\HijackThis.msi
[2010.11.25 00:30:49 | 027,146,536 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\malware_removal.rar
[2010.11.22 02:09:46 | 000,000,602 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\Age of Empires II.lnk
[2010.11.09 23:19:53 | 000,028,514 | ---- | C] () -- C:\Documents and Settings\Mino\Desktop\sex.jpg
[2010.03.27 15:54:14 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010.01.10 01:19:28 | 000,076,344 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009.10.22 17:17:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.09.22 23:22:46 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2009.09.15 00:40:37 | 000,121,856 | ---- | C] () -- C:\Documents and Settings\Mino\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.09.15 00:27:31 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.09.15 00:27:27 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.09.15 00:27:27 | 000,612,864 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009.09.15 00:27:27 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.09.15 00:27:26 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.09.15 00:27:24 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.09.14 01:10:22 | 000,000,302 | ---- | C] () -- C:\WINDOWS\WakeMeUP.INI
[2009.09.14 00:39:27 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009.09.13 22:59:53 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2004.08.03 23:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004.07.17 10:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2003.01.07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >

Extras_2010_12_06.txt

OTL Extras logfile created on: 06.12.2010 20:42:01 - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Mino\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

1.023,00 Mb Total Physical Memory | 771,00 Mb Available Physical Memory | 75,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 95,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,39 Gb Total Space | 5,20 Gb Free Space | 17,71% Space Free | Partition Type: NTFS
Drive D: | 146,63 Gb Total Space | 4,12 Gb Free Space | 2,81% Space Free | Partition Type: NTFS
Drive E: | 49,81 Gb Total Space | 3,27 Gb Free Space | 6,56% Space Free | Partition Type: NTFS
Drive F: | 49,80 Gb Total Space | 3,77 Gb Free Space | 7,56% Space Free | Partition Type: NTFS
Drive G: | 22,46 Gb Total Space | 0,09 Gb Free Space | 0,42% Space Free | Partition Type: NTFS

Computer Name: M | User Name: Mino | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\Instalate\Age of Empires II\SETUPREG.EXE" = F:\Instalate\Age of Empires II\SETUPREG.EXE:*:Enabled:ipsec -- ()
"C:\Program Files\Winamp\winamp.exe" = C:\Program Files\Winamp\winamp.exe:*:Enabled:ipsec -- (Nullsoft)
"C:\volumouse\volumouse.exe" = C:\volumouse\volumouse.exe:*:Enabled:ipsec -- (NirSoft)
"C:\Program Files\DAEMON Tools Lite\daemon.exe" = C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:ipsec -- (DT Soft Ltd)
"C:\WINDOWS\system32\netsh.exe" = C:\WINDOWS\system32\netsh.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\Program Files\Notepad++\notepad++.exe" = C:\Program Files\Notepad++\notepad++.exe:*:Enabled:ipsec -- (Don HO don.h@free.fr)
"C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe" = C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe:*:Enabled:ipsec -- (Google Inc.)
"C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe" = C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe:*:Enabled:ipsec -- (Skype Technologies S.A.)
"C:\Documents and Settings\Mino\Desktop\ComboFix.exe" = C:\Documents and Settings\Mino\Desktop\ComboFix.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe:*:Enabled:ipsec -- File not found
"C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Mino\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:ipsec -- (Google Inc.)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe:*:Enabled:ipsec -- File not found
"C:\Program Files\K-Lite Codec Pack\Filters\divxsm.exe" = C:\Program Files\K-Lite Codec Pack\Filters\divxsm.exe:*:Enabled:ipsec -- (DivX Inc.)
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe:*:Enabled:ipsec -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe:*:Enabled:ipsec -- File not found
"C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe" = C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintcupk.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintcupk.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windqga.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windqga.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winkexw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkexw.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wingbas.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingbas.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winxbjy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxbjy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winuxihid.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuxihid.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wineuqoik.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wineuqoik.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winahfbh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winahfbh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winguqx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winguqx.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaojt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaojt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ghlvi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ghlvi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\sqcktl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sqcktl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\kfgnmg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\kfgnmg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\ukkdm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ukkdm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\auwt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\auwt.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winunap.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winunap.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winquex.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winquex.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvbtcc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvbtcc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\lkwhl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lkwhl.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqhbib.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqhbib.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windglql.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windglql.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\hkwtyy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hkwtyy.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winouyev.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winouyev.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wintgxxxg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintgxxxg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winatooi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winatooi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\mbxwpd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\mbxwpd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winbava.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbava.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winboxqpi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winboxqpi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winijto.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winijto.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\roisq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\roisq.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\bvip.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\bvip.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvcmhdg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvcmhdg.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winvfte.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvfte.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wdtm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wdtm.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\cnsni.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\cnsni.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqunkd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqunkd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\wincayi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincayi.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winwanvck.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwanvck.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winqqbhd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqqbhd.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winnjgtmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnjgtmc.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winaetbnh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaetbnh.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winenedd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winenedd.exe:*:Enabled:ipsec -- File not found
"C:\Program Files\StrongDC++\StrongDC.exe" = C:\Program Files\StrongDC++\StrongDC.exe:*:Enabled:ipsec -- (Big Muscle, KohlSoft® Corporation ;-))
"C:\DOCUME~1\Mino\LOCALS~1\Temp\windgstyk.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windgstyk.exe:*:Enabled:ipsec -- File not found
"C:\DOCUME~1\Mino\LOCALS~1\Temp\winventag.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winventag.exe:*:Enabled:ipsec -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{5A438E06-0BB3-4C5F-0085-B14F1F4077E6}" = FIFA 07
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6C117F31-28A8-4477-BE91-64AC0A2204AD}" = Microsoft IntelliPoint 6.01
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{84B2CF01-194D-2284-B313-F2E0D78D1033}" = Nero 7 Demo
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DB249302-FB94-4578-84FE-7B856C315779}" = HTC Sync
"{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1" = Rootkit Unhooker LE 3.8 SR 2
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F69FD33C-8815-46BF-9134-A643DE68F3C0}" = WinFast® Display Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BSPlayerf" = BS.Player FREE
"Buddy Spy_is1" = Buddy Spy 2.2.19
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Garena" = Garena
"InstallShield_{9322A850-9091-4D0E-B252-3E82EDA3D94A}" = Prototype™
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.7.5 Full
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Picasa 3" = Picasa 3
"StrongDC++_is1" = StrongDC++ 1.00 RC10 cvs105
"VLC media player" = VLC media player 1.0.1
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 21.10.2010 16:06:26 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application strongdc.exe, version 0.6.7.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 31.10.2010 14:34:36 | Computer Name = M | Source = Application Hang | ID = 1002
Description = Hanging application bsplayer.exe, version 2.4.3.1008, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11.11.2010 04:12:30 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application winamp.exe, version 5.3.5.1305, faulting module
gen_jumpex.dll, version 0.0.0.0, fault address 0x00002b79.

Error - 11.11.2010 04:12:35 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 12.11.2010 12:15:55 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 15.11.2010 13:08:48 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 16.11.2010 17:30:37 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x0006a5e4.

Error - 19.11.2010 12:56:40 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 10.0.0.1270, faulting
module msvcr80.dll, version 8.0.50727.4053, fault address 0x00008aa0.

Error - 19.11.2010 17:26:27 | Computer Name = M | Source = Application Error | ID = 1000
Description = Faulting application strongdc.exe, version 0.6.7.0, faulting module
strongdc.exe, version 0.6.7.0, fault address 0x000e93d5.

Error - 24.11.2010 19:20:12 | Computer Name = M | Source = MsiInstaller | ID = 10005
Description = Product: BitDefender Total Security 2008 -- Please restart your computer
to install the new version of BitDefender Total Security 2008.

[ OSession Events ]
Error - 09.02.2010 16:00:25 | Computer Name = M | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 6560
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 28.11.2010 14:49:56 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 13:18:18 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 14:05:30 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'RTLCPL.exe' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 29.11.2010 20:17:40 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CCleaner 1.40.520.exe' on the volume 'HarddiskVolume5'.
It has stopped monitoring the volume.

Error - 30.11.2010 13:49:54 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 01.12.2010 14:02:17 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 01.12.2010 14:30:39 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'OPNET.Mode .. er-FFS.exe' on the volume 'HarddiskVolume5'.
It has stopped monitoring the volume.

Error - 02.12.2010 08:07:26 | Computer Name = M | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000007F'
while processing the file 'CANALE.EXE' on the volume 'HarddiskVolume5'. It has
stopped monitoring the volume.

Error - 06.12.2010 14:28:30 | Computer Name = M | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 06.12.2010 14:28:30 | Computer Name = M | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).


< End of report >


RkUh_2010_12_06.txt

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x867C4A00 [4] System (Microsoft Corporation, .NET Framework)
0x85A026A0 [272] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java™ Quick Starter Service)
0x85A5ABE0 [480] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x85E896E8 [592] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8616D788 [636] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x85DF76E8 [660] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x866B84C0 [704] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x86265788 [732] C:\WINDOWS\system32\savedump.exe (Microsoft Corporation, Windows NT Save Dump Utility)
0x866EFDA0 [740] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x860CF788 [880] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 197.13)
0x866F07E8 [924] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x866C0A20 [972] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x866C2320 [1068] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x86657860 [1192] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85CE3860 [1232] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x859F2BE0 [1420] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x866EDC88 [1660] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x8597A2C8 [1776] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation, IPoint.exe)
0x85977320 [1808] C:\volumouse\volumouse.exe (NirSoft, Volumouse Utility)
0x8599F020 [1876] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Automatic Updates)
0x8595FBF8 [2032] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App)
0x8594A860 [3180] C:\Documents and Settings\Mino\Desktop\MustBeRandomlyNamed\UfsvbNaujrq.exe (UG North, RKULE, SR2 Normandy)
==============================================
>Drivers
==============================================
0xF558F000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10235904 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 197.13 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6434816 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 197.13 )
0xEF755000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4567040 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7350000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEF502000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xEF608000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB8292000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xF549D000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8099000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF5466000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xF53D9000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xF540D000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF74AC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB8335000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7323000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEF571000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEF5E0000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7456000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF5510000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF5535000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF5558000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xEF59D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEF733000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xEF5BF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7406000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF747C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7308000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xEF4E9000 C:\WINDOWS\System32\Drivers\dump_nvata.sys 102400 bytes
0xF7425000 nvata.sys 102400 bytes (NVIDIA Corporation, NVIDIA® nForce™ IDE Performance Driver)
0xF743E000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF73DD000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF544F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB86AB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF557B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEF660000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73F4000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF749B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF543E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF781B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF774B000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77CB000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF775B000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF2F0D000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF77DB000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF761B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF772B000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF776B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75FB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF62FC000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF773B000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75EB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF630C000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF62BC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF62DC000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF760B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF77FB000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF782B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF768B000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB7FB1000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF75DB000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF62EC000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF77EB000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB80DA000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF62CC000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF762B000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF784B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78EB000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78FB000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF793B000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF785B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7913000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7903000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7933000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7943000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF78DB000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78CB000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF78E3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7863000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7923000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF792B000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF791B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF790B000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF7953000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7AD7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEFE4E000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7AB7000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF79EB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEFE56000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF02A7000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEFE72000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7ABB000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A8F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B7D000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7ADF000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B85000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B7B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B0F000 C:\WINDOWS\system32\drivers\gsjlnh.sys 8192 bytes
0xF7ADB000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B7F000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B81000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AFF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B79000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7ADD000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C6F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C4E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D14000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BA3000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
!-->[Hidden] C:\System Volume Information\_restore{EBE37C54-148F-474D-BFEA-9DD59F666744}\RP12\A0003899.exe
!-->[Hidden] C:\System Volume Information\_restore{EBE37C54-148F-474D-BFEA-9DD59F666744}\RP12\A0003901.exe
!-->[Hidden] C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb::$DATA
!-->[Hidden] C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006DC5E, Type: Inline - RelativeJump 0x80544C5E-->80544C65 [ntkrnlpa.exe]


TDSSKiller.2.4.1.0_06.12.2010_20.49.39_log

2010/12/06 20:49:39.0562 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/12/06 20:49:39.0562 ================================================================================
2010/12/06 20:49:39.0562 SystemInfo:
2010/12/06 20:49:39.0562
2010/12/06 20:49:39.0562 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/06 20:49:39.0562 Product type: Workstation
2010/12/06 20:49:39.0562 ComputerName: M
2010/12/06 20:49:39.0562 UserName: Mino
2010/12/06 20:49:39.0562 Windows directory: C:\WINDOWS
2010/12/06 20:49:39.0562 System windows directory: C:\WINDOWS
2010/12/06 20:49:39.0562 Processor architecture: Intel x86
2010/12/06 20:49:39.0562 Number of processors: 2
2010/12/06 20:49:39.0562 Page size: 0x1000
2010/12/06 20:49:39.0562 Boot type: Normal boot
2010/12/06 20:49:39.0562 ================================================================================
2010/12/06 20:49:40.0390 Initialize success
2010/12/06 20:49:43.0937 ================================================================================
2010/12/06 20:49:43.0937 Scan started
2010/12/06 20:49:43.0937 Mode: Manual;
2010/12/06 20:49:43.0937 ================================================================================
2010/12/06 20:49:45.0203 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/06 20:49:45.0234 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/06 20:49:45.0265 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/12/06 20:49:45.0312 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/12/06 20:49:45.0390 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/06 20:49:45.0406 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/06 20:49:45.0421 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/06 20:49:45.0453 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/06 20:49:45.0468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/06 20:49:45.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/06 20:49:45.0750 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/06 20:49:45.0796 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/06 20:49:45.0843 Cdrom (7b53584d94e9d8716b2de91d5f1cb42d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/06 20:49:45.0953 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/06 20:49:46.0062 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/06 20:49:46.0187 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/06 20:49:46.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/06 20:49:46.0250 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/06 20:49:46.0312 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/06 20:49:46.0640 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/06 20:49:46.0734 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/06 20:49:46.0750 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/06 20:49:46.0765 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/06 20:49:46.0812 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/06 20:49:46.0843 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/06 20:49:46.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/06 20:49:46.0875 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/06 20:49:46.0968 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/06 20:49:47.0000 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/06 20:49:47.0031 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
2010/12/06 20:49:47.0062 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/06 20:49:47.0093 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/06 20:49:47.0109 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/06 20:49:47.0250 IntcAzAudAddService (001aaca6ed0e6b00fc5b8faf74977e81) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/06 20:49:47.0296 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/06 20:49:47.0359 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/06 20:49:47.0390 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/06 20:49:47.0406 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/06 20:49:47.0406 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/06 20:49:47.0421 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/06 20:49:47.0437 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/06 20:49:47.0453 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/06 20:49:47.0468 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/06 20:49:47.0500 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/06 20:49:47.0515 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/06 20:49:47.0546 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/06 20:49:47.0578 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/06 20:49:47.0593 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/06 20:49:47.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/06 20:49:47.0625 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/06 20:49:47.0640 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/06 20:49:47.0656 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/06 20:49:47.0687 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/06 20:49:47.0734 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/06 20:49:47.0781 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/06 20:49:47.0796 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/06 20:49:47.0828 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/06 20:49:47.0937 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/06 20:49:48.0000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/06 20:49:48.0078 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/06 20:49:48.0125 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/06 20:49:48.0187 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/06 20:49:48.0234 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/06 20:49:48.0250 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/06 20:49:48.0296 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/06 20:49:48.0328 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/06 20:49:48.0359 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/06 20:49:48.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/06 20:49:48.0656 nv (cd9ed87b4fc6ec41d3b5be0b923843fc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/06 20:49:48.0953 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/12/06 20:49:48.0984 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/12/06 20:49:48.0984 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/12/06 20:49:49.0015 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/06 20:49:49.0031 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/06 20:49:49.0078 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/06 20:49:49.0109 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/06 20:49:49.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/06 20:49:49.0187 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/06 20:49:49.0218 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/06 20:49:49.0281 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/06 20:49:49.0421 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/12/06 20:49:49.0437 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/06 20:49:49.0453 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/06 20:49:49.0453 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/06 20:49:49.0484 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/06 20:49:49.0515 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/06 20:49:49.0515 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/06 20:49:49.0531 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/06 20:49:49.0546 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/06 20:49:49.0562 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/06 20:49:49.0578 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/06 20:49:49.0593 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/06 20:49:49.0640 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/06 20:49:49.0656 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/06 20:49:49.0765 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/06 20:49:49.0796 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/06 20:49:49.0953 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/06 20:49:50.0000 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/06 20:49:50.0046 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys
2010/12/06 20:49:50.0093 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/06 20:49:50.0125 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/06 20:49:50.0140 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/06 20:49:50.0156 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/06 20:49:50.0203 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/06 20:49:50.0234 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/06 20:49:50.0265 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/06 20:49:50.0281 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/06 20:49:50.0312 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/06 20:49:50.0359 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/06 20:49:50.0437 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/06 20:49:50.0500 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/06 20:49:50.0562 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/06 20:49:50.0625 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/06 20:49:50.0656 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/06 20:49:50.0718 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/06 20:49:50.0765 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/06 20:49:50.0828 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/06 20:49:50.0921 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/06 20:49:50.0953 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/12/06 20:49:50.0984 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/06 20:49:51.0046 ================================================================================
2010/12/06 20:49:51.0046 Scan finished
2010/12/06 20:49:51.0046 ================================================================================
2010/12/06 20:49:57.0421 Deinitialize success

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 07 December 2010 - 05:54 AM

Hi bminoiu,

Step 1.

RKill by Grinler

Link #1
Link #2
Link #3

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

Step 2.

We need to run another OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    FF - prefs.js..network.proxy.http: "125.167.193.41"
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windnwl.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winalnr.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvnqf.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbeibfx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winklkmc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfundws.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gxsxgn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ldba.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winffiwxw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhenx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lsjwly.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhxew.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qotjl.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnsnub.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqjaxs.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\slsrj.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqoui.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winegriv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winetppyi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rbawt.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winitdpo.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrryp.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gghcv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\nftx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehkauy.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\mmldq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ikdn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyxwsg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnyso.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fxnded.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyevmhf.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ehvq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winayycrq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fwibhm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ajlcfd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkjop.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjopcfv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winekpetj.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windvlent.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyowow.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\byoi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaikwxr.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yjaidd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnkcieb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnobsm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sbtfoa.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvolarn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\phbiw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winerabi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaybsg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqwcm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hgjb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winoqxb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winyraix.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ekusw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pghn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pjrh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjbuxm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fcap.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\obpx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ilvhyw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlhylw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwwnys.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\fdwc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winjhcyvg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrtrapn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfuho.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincwdlw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winpucil.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winifkimo.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfeuce.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincfpcv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlpcim.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxjur.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfxfjkd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wejm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xbymx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmadyau.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintegr.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfwvhal.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sefeh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\kxyhh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwjfs.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winamcq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsoph.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxyouo.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hjbmc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbkdhb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmjkx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxfe.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\savmaa.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\inpusv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hmbntn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhdfm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrunb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lpojh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winniowt.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvvbxb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winovwh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingtterb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winrvtv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winehfngt.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xkjlc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingsikcx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnoob.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwxesmg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintffkqe.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windbuxrp.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\idfqb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuaigvy.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qagqgv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilrx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winsudn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rddf.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\xfuh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\yhcb.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\cntdp.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winlvuhp.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winilnwdx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincsnspw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbyjxtd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\teaawx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\khtjpx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxdgnx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ubok.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pexx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winesnens.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gqiotg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\qqvs.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winglex.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winhsgq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\iolj.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winybudvg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\gmkewl.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winmwjjfv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winfsnduv.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuslaco.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\pkojco.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaxao.exe:*:Enabled:ipsec -- File not found
    "C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe" = C:\Documents and Settings\Mino\Desktop\gmer\gmer.exe:*:Enabled:ipsec -- ()
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winflpslj.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingqtgg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\komaie.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\beqop.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\rxlrri.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ricq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winabufn.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkqpgi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wintcupk.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintcupk.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windqga.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windqga.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winkexw.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winkexw.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wingbas.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wingbas.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winxbjy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winxbjy.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winuxihid.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winuxihid.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wineuqoik.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wineuqoik.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winahfbh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winahfbh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winguqx.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winguqx.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winaojt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaojt.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ghlvi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ghlvi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\sqcktl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\sqcktl.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\kfgnmg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\kfgnmg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\ukkdm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\ukkdm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\auwt.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\auwt.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winunap.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winunap.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winquex.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winquex.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winvbtcc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvbtcc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\lkwhl.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\lkwhl.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winqhbib.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqhbib.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windglql.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windglql.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\hkwtyy.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\hkwtyy.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winouyev.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winouyev.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wintgxxxg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wintgxxxg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winatooi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winatooi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\mbxwpd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\mbxwpd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winbava.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winbava.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winboxqpi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winboxqpi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winijto.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winijto.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\roisq.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\roisq.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\bvip.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\bvip.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winvcmhdg.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvcmhdg.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winvfte.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winvfte.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wdtm.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wdtm.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\cnsni.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\cnsni.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winqunkd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqunkd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\wincayi.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\wincayi.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winwanvck.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winwanvck.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winqqbhd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winqqbhd.exe:*:Enabled:ipsec -- File not found
    C:\DOCUME~1\Mino\LOCALS~1\Temp\winnjgtmc.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winnjgtmc.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winaetbnh.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winaetbnh.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winenedd.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winenedd.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\windgstyk.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\windgstyk.exe:*:Enabled:ipsec -- File not found
    "C:\DOCUME~1\Mino\LOCALS~1\Temp\winventag.exe" = C:\DOCUME~1\Mino\LOCALS~1\Temp\winventag.exe:*:Enabled:ipsec -- File not found
    
    :commands
    [EmptyTemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Step 3.

If still there please delete the copy of Combofix that is located on your desktop.

If not, then download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.[list]
[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
[*]Click on NO, to exit Combofix.

If you have any trouble or are unable to install the Recovery Console let me know before proceeding.!

In your next reply please include the following:

RKill log
OTL report
ComboFix.txt

How is your computer running?

Thanks!!
PW

#11 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 December 2010 - 06:23 PM

Hi pwgib,

I followed all the steps you sent me. The logs are below.
I had some problems with step 3:
I downloaded Combofix from the first link and ran it. It did not prompt me to install the recovery console.
Then, I got an error stating that the file n.pif is already in use. I clicked OK, it continued running for a bit and I got the following error:
"Alert!It is not safe to continue!The contents of the Combofix package have been compromised. Please download a fresh copy from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Note:You may be infected with a file patching virus 'Virut'". Upon clicking Ok, combofix stopped and it was deleted from my desktop.
Then I re - downloaded Combofix from the second link and ran it. It prompted me for an update, I updated, it prompted for the installation of the recovery console, I installed it and then it ran smooth.

My computer is running fine, I am not experiencing any performance issues(I didn't experience any before starting this topic either). However, the registry keys which are disabling TaskManager and RegistryTools are back. They re-appeared at the first boot today (first boot since my last post). The situation is the same now.

Thanks again for your help. What are the steps to follow next?

Regards,
Bogdan

RKill log


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08.12.2010 at 0:02:24.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\DOCUME~1\Mino\LOCALS~1\Temp\hleu.exe


Rkill completed on 08.12.2010 at 0:02:26.

OTL_12082010_000516.log

All processes killed
========== OTL ==========
Prefs.js: "125.167.193.41" removed from network.proxy.http
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mino
->Temp folder emptied: 105880 bytes
->Temporary Internet Files folder emptied: 685178 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 118711384 bytes
->Flash cache emptied: 2088 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49152 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 114,00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12082010_000516

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_6c0.dat moved successfully.

Registry entries deleted on Reboot...


combofixlog_2010_12_08_00_20.log

ComboFix 10-12-06.04 - Mino 08.12.2010 0:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.724 [GMT 2:00]
Running from: c:\documents and settings\Mino\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2010-11-07 to 2010-12-07 )))))))))))))))))))))))))))))))
.

2010-12-06 18:28 . 2010-12-06 18:28 -------- d-----w- C:\_OTL
2010-12-05 21:54 . 2010-12-05 22:56 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-11-24 23:52 . 2010-11-24 23:52 465920 ----a-r- c:\documents and settings\Mino\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-11-24 23:51 . 2010-11-24 23:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\documents and settings\Mino\Application Data\Malwarebytes
2010-11-24 23:21 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-24 23:21 . 2010-11-24 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-24 23:21 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot_2010-11-25_00.20.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-07 22:21 . 2010-12-07 22:21 16384 c:\windows\temp\Perflib_Perfdata_4bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\volumouse\volumouse.exe" [2009-08-05 33280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-16 13670504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^Mino^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Mino\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mino^Start Menu^Programs^Startup^Rds.lnk]
path=c:\documents and settings\Mino\Start Menu\Programs\Startup\Rds.lnk
backup=c:\windows\pss\Rds.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 14:10 113520 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-08-12 22:58 205808 ----atw- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2010-08-18 07:53 323584 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 233472 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-03-16 00:37 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-03-16 00:37 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-12-19 03:12 16062464 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"UacDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Instalate\\Age of Empires II\\SETUPREG.EXE"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\volumouse\\volumouse.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Documents and Settings\\Mino\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe"=
"c:\\Program Files\\Notepad++\\notepad++.exe"=
"c:\\Program Files\\Google\\Picasa3\\PicasaPhotoViewer.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames2.exe"=
"c:\\Documents and Settings\\Mino\\Desktop\\ComboFix.exe"=
"c:\\WINDOWS\\regedit.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Documents and Settings\\Mino\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Filters\\divxsm.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Mino\\Desktop\\gmer\\gmer.exe"=
"c:\\Program Files\\StrongDC++\\StrongDC.exe"=
"c:\\Documents and Settings\\Mino\\Desktop\\TDSSKiller.exe"=

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [28.03.2010 11:25 107752]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [28.08.2010 18:57 24576]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04.10.2009 20:20 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003Core.job
- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-12 22:58]

2010-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-746137067-725345543-1003UA.job
- c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-12 22:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {B1A576AE-6C1E-4339-BC62-54C609C38F00} = 82.76.253.115 82.76.253.125
FF - ProfilePath - c:\documents and settings\Mino\Application Data\Mozilla\Firefox\Profiles\69pcy5wu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Mino\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 00:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-746137067-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3884)
c:\documents and settings\Mino\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\volumouse\vlmshlp.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-12-08 00:26:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-07 22:26
ComboFix2.txt 2010-11-25 00:22
ComboFix3.txt 2010-11-24 22:42

Pre-Run: 5.391.409.152 bytes free
Post-Run: 5.322.645.504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 59FBD9AF500728EB3AA8D2B6E32F3C11

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 08 December 2010 - 04:48 AM

Hi bminoiu,

"Alert!It is not safe to continue!The contents of the Combofix package have been compromised. Please download a fresh copy from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Note:You may be infected with a file patching virus 'Virut'".

I have some bad news. You are infected with a polymorphic file infector, W32.Sality. Also, see Microsoft information here.

The way the virus inserts it's code in files makes it almost impossible to detect by most malware scanners. In your case the ComboFix warning, the driver and service ABP470N5, these entries, ":Enabled:ipsec", plus all the other symptoms you describe and have are a clear indication the virus is present.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

Sality Virus

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards.

Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
You should backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them as it can penetrate and infect .exe files inside compressed files too.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There are tools and various rescue disks available from major anti-virus vendors. You can try them or booting from every rescue disk you can find but they will likely leave you computer in an unbootable state as a result of futile attempts to repair critical system files and drivers. Even the vendors like Kaspersky say there is no guarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: The boot order must be set to start from the CD-ROM drive.

If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer's BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM.
Different computers have different ways to enter the BIOS.

Some computers have an Fkey function available when they boot that allows the user to set the boot order.

Changing Your Computers Boot Order

If you have any questions do not hesitate to ask.

Thanks!!
PW

#13 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 08 December 2010 - 06:26 AM

Hi,

Thanks a lot for your reply and all the info.
I still have some questions:

1. I have used several removable USB drives since the time of the infection. With most of them, it is not an issue to wipe them clean. However, one of these drives is actually my mobile phone, and I wouldn't want to wipe that one.
Also, I remember that at one time, I connected it to my workplace computer, and the antivirus (Symantec) blocked the autorun.inf and recognized the Sality virus - I remember looking it up on the internet.
I deleted the file it was trying to run and the autorun.inf itself. I have since scanned my phone several times and no other infection was found.
The question is: do you think that I should still try to format the phone?
Also, the phone has an Android OS. Since the virus infects only Win32 platform, the OS should be safe, right?

2. I will format and reinstall, as advised. The question is: is it mandatory with such an infection to wipe all partitions? I have several non-OS partitions with considerable amount of data that I definitely cannot backup.
I would prefer to format the OS partition, reinstall windows, install an antivirus and scan the other partitions.
What is your advice?

Thank you,
Bogdan

#14 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:06 PM

Posted 08 December 2010 - 09:08 AM

Hi bminoiu,

Your phone should be fine.

Unfortunately formatting only C is not enough. You have to format all flash drives and other partitions to make sure nothing is left. One single file is enough to reinfect everything again.

I advice you only to backup personal files (pics, documents) and burn these to a CD to make sure no autorun entries get created.

Thanks!!
PW

#15 bminoiu

bminoiu
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 08 December 2010 - 10:01 AM

Ok, I will do as advised.
Thank you very much for all your trouble and your help.

Sincerely grateful,
Bogdan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users