Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Randomly Redirected Google Search Results


  • This topic is locked This topic is locked
43 replies to this topic

#1 O_O_L

O_O_L

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 27 February 2011 - 01:50 PM

Hi,

This is my first post at Bleeping Computer, so I hope I get this correct.

Preparation Guide:
I have gone through the Preparation Guide mentioned in this forum guidelines. I ran DeFogger without any problems to disable my CD Emulation Drivers. DDS also went through fine and I would be attaching the logs below.
GMER does not run for me. Some times it crashes with an unhandled exception. Other times it simply restarts my computer.

Details of the Problem:
I am getting randomly redirected in the Google Search Results. Chrome and IE do not seem to work for me. Chrome gives the “Aw Snap” error, and IE just hangs. FireFox is all I use, and it sometimes redirects results to pages hawking ads. (I can look at the cached version of the page in Google, and that opens fine.)

Details of my Computer:
This is a Windows XP Pro 32 bit SP3 machine. I have Avira for an anti-virus. I am running everything as Administrator.

My Past Attempts:
Besides GMER, I have attempted to run TDSSKiller from Kaspersky but that crashes my computer. It barely gets to 80% (initializing not scanning) and then my computer restarts. I have attempted Rootkit Unhooker. It runs fine except for scanning Files. I get Error starting helper service, and my Anti-virus finds some exe in System32 that it does not like. (If you ask me to run this, please let me know if I should disable my anti-virus.)
Note: My Anti-Virus is active while doing all of this/above.

---------------------------------------------
Start of ---->DDS.txt <--------------
---------------------------------------------


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 23:44:36.32 on Sat 02/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2042 [GMT -6:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;rio
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\program files\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZone.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Web Test Recorder: {8c84b9f5-3d9e-4204-bb0b-f85d46455868} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AtiPTA] atiptaxx.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [jEdit Server] "c:\program files\java\jdk1.6.0_02\bin\javaw.exe" -xms64m -xmx192m -jar "c:\program files\jedit\jedit.jar" -background -nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\iogear\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\capsex~1.lnk - c:\include\Caps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\include\connect_vpn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logmei~1.lnk - c:\include\logmein.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerm~1.lnk - c:\include\powermenu\PowerMenu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wikiex~1.lnk - c:\include\wiki.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\include\window_handling.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190038013296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\e3jiv73f.default\
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\e3jiv73f.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\e3jiv73f.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: EZ Drag-n-Drop: ezdragndrop@erika - %profile%\extensions\ezdragndrop@erika
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED} - c:\documents and settings\administrator\local settings\application data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-23 11608]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-9-13 13696]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2007-9-17 6656]
R1 oekhlsx;oekhlsx;c:\windows\system32\drivers\oekhlsx.sys [2002-8-28 316832]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-9-19 158736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-9-19 42960]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-23 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-23 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-23 61960]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-12-6 1238408]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2009-5-27 202584]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2007-9-17 28672]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2009-5-27 13672]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-9-27 43008]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-2-19 532224]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-12-17 109328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 04BF5A78;04BF5A78;c:\windows\system32\04bf5a78.exe --> c:\windows\system32\04BF5A78.exe [?]
S3 17E90CA4;17E90CA4;c:\windows\system32\17e90ca4.exe --> c:\windows\system32\17E90CA4.exe [?]
S3 6D5CCC9B;6D5CCC9B;c:\windows\system32\6d5ccc9b.exe --> c:\windows\system32\6D5CCC9B.exe [?]
S3 85547B01;85547B01;c:\windows\system32\85547b01.exe --> c:\windows\system32\85547B01.exe [?]
S3 86CF121D;86CF121D;c:\windows\system32\86cf121d.exe --> c:\windows\system32\86CF121D.exe [?]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-9-28 24645]
S3 atm6124;atm6124.Sys ATMEL USB SAMBA Driver;c:\windows\system32\drivers\atm6124.sys --> c:\windows\system32\drivers\atm6124.sys [?]
S3 DDZ;DDZ;c:\docume~1\admini~1\locals~1\temp\DDZ.exe [2011-2-25 494464]
S3 JGJBM;JGJBM;c:\docume~1\admini~1\locals~1\temp\JGJBM.exe [2011-2-24 371584]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\30.tmp --> c:\windows\system32\30.tmp [?]
S3 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-5-9 1693128]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 VMXOTANV;VMXOTANV;c:\docume~1\admini~1\locals~1\temp\VMXOTANV.exe [2011-2-24 588672]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-3-5 23480]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [2007-10-18 20224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2011-02-26 14:33:35 0 ----a-w- c:\documents and settings\administrator\RootkitRevealer.exe
2011-02-26 03:52:34 -------- d-----w- c:\program files\Sophos
2011-02-24 02:49:35 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-02-24 02:49:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 02:49:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-24 02:49:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 02:49:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 02:48:12 -------- d-----w- c:\windows\pss
2011-02-20 03:43:15 0 ----a-w- c:\windows\Bmepipejideduva.bin
2011-02-20 03:43:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}
2011-02-20 03:41:50 76288 --sha-r- c:\windows\system32\diskperf7.dll
2011-02-20 03:36:47 -------- d-----w- c:\program files\Zone Labs
2011-02-19 20:19:04 -------- d-----w- c:\program files\SystemRequirementsLab
2011-02-11 04:28:54 -------- d-----w- c:\program files\D-Link

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-04 02:06:27 11070976 ----a-w- c:\windows\system32\temp.001
2011-01-04 02:06:08 1071088 ----a-w- c:\windows\system32\temp.000
2011-01-04 02:05:48 286720 ------w- c:\windows\Setup1.exe
2011-01-04 02:05:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 22:31:32 133648 ------w- c:\windows\system32\VBoxNetFltNotify.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 23:45:24.57 ===============

---------------------------------------------
End of ---->DDS.txt <--------------
---------------------------------------------

I hope I did not miss anything. I’d be grateful for your help.
O. O.

Attached Files


Edited by O_O_L, 27 February 2011 - 01:59 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:53 PM

Posted 03 March 2011 - 07:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 03 March 2011 - 09:04 PM

Dear Georgi,

Thank you for getting back to me. This problem is not resolved – and I hope you could provide some help.
First, I have Windows XP Pro 32 bit SP3. Also I have the CD – but that’s only SP1 as far as I understand.

Over the past few days, I made a few attempts to fix this machine. As mentioned in my original post, I attempted TDSSKiller by Kaspersky – but it crashes. So I then uninstalled Avira (my anti-virus) and tried again. It still crashes. However I got it to work in Safe Mode and it reported no viruses.

I have also used ATF-Cleaner to delete my temp files, and Defogger to disable my CD Emulation Drivers.

As mentioned in my original post, I could not get GMER to run i.e. I was getting unhandled exceptions or random crashes. While Avira was uninstalled, I attempted GMER again. I could get the scan from the exe downloaded from the GMER website, but not from the one available from this website. (For some reason the executable from the GMER website has a random name, and this might be helping.)

Since I needed to get on the internet to make this post, I had to install Avira again.

So, GMER Log is with Avira Uninstalled, and the DDS.scr logs are after I installed Avira.

Please let me know if you have any questions. Thanks again.

O. O.
Note: Logs in the next post.

#4 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 03 March 2011 - 09:05 PM

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 19:45:33.47 on Thu 03/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2306 [GMT -6:00]

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;rio
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Microsoft Web Test Recorder Helper: {62355041-605d-4469-84fd-5d66ed67a7e3} - c:\program files\microsoft visual studio 8\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Web Test Recorder: {8c84b9f5-3d9e-4204-bb0b-f85d46455868} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AtiPTA] atiptaxx.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [jEdit Server] "c:\program files\java\jdk1.6.0_02\bin\javaw.exe" -xms64m -xmx192m -jar "c:\program files\jedit\jedit.jar" -background -nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\iogear\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\capsex~1.lnk - c:\include\Caps.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\include\connect_vpn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logmei~1.lnk - c:\include\logmein.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerm~1.lnk - c:\include\powermenu\PowerMenu.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wikiex~1.lnk - c:\include\wiki.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\include\window_handling.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all by Net Transport - c:\program files\xi\nettransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\xi\nettransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190038013296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\e3jiv73f.default\
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\e3jiv73f.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\e3jiv73f.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: EZ Drag-n-Drop: ezdragndrop@erika - %profile%\extensions\ezdragndrop@erika
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED} - c:\documents and settings\administrator\local settings\application data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-3 11608]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-9-13 13696]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2007-9-17 6656]
R1 oekhlsx;oekhlsx;c:\windows\system32\drivers\oekhlsx.sys [2002-8-28 316832]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-9-19 158736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-9-19 42960]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-3 61960]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2009-5-27 202584]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2007-9-17 28672]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2009-5-27 13672]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [2007-9-27 43008]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-12-17 109328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-12-6 1238408]
S3 04BF5A78;04BF5A78;c:\windows\system32\04bf5a78.exe --> c:\windows\system32\04BF5A78.exe [?]
S3 17E90CA4;17E90CA4;c:\windows\system32\17e90ca4.exe --> c:\windows\system32\17E90CA4.exe [?]
S3 6D5CCC9B;6D5CCC9B;c:\windows\system32\6d5ccc9b.exe --> c:\windows\system32\6D5CCC9B.exe [?]
S3 85547B01;85547B01;c:\windows\system32\85547b01.exe --> c:\windows\system32\85547B01.exe [?]
S3 86CF121D;86CF121D;c:\windows\system32\86cf121d.exe --> c:\windows\system32\86CF121D.exe [?]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-9-28 24645]
S3 atm6124;atm6124.Sys ATMEL USB SAMBA Driver;c:\windows\system32\drivers\atm6124.sys --> c:\windows\system32\drivers\atm6124.sys [?]
S3 DDZ;DDZ;c:\docume~1\admini~1\locals~1\temp\DDZ.exe [2011-2-25 494464]
S3 JGJBM;JGJBM;c:\docume~1\admini~1\locals~1\temp\JGJBM.exe [2011-2-24 371584]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\30.tmp --> c:\windows\system32\30.tmp [?]
S3 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-5-9 1693128]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 VMXOTANV;VMXOTANV;c:\docume~1\admini~1\locals~1\temp\VMXOTANV.exe [2011-2-24 588672]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\microsoft visual studio 8\team tools\performance tools\VSPerfDrv.sys [2006-12-2 48128]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-3-5 23480]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [2007-10-18 20224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2011-03-04 01:36:42 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-04 01:36:41 -------- d-----w- c:\program files\Avira
2011-03-04 01:36:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-03-03 02:20:46 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-03-02 00:42:43 -------- d-----w- c:\program files\Runtime Software
2011-02-26 14:33:35 0 ----a-w- c:\documents and settings\administrator\RootkitRevealer.exe
2011-02-26 03:52:34 -------- d-----w- c:\program files\Sophos
2011-02-24 02:49:35 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-02-24 02:49:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 02:49:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-24 02:49:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 02:49:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-23 02:48:12 -------- d-----w- c:\windows\pss
2011-02-20 03:43:15 0 ----a-w- c:\windows\Bmepipejideduva.bin
2011-02-20 03:43:14 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}
2011-02-20 03:41:50 76288 --sha-r- c:\windows\system32\diskperf7.dll
2011-02-20 03:37:36 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Conduit
2011-02-20 03:37:20 -------- d-----w- c:\program files\CheckPoint
2011-02-19 20:19:04 -------- d-----w- c:\program files\SystemRequirementsLab
2011-02-11 04:28:54 -------- d-----w- c:\program files\D-Link

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-04 02:06:27 11070976 ----a-w- c:\windows\system32\temp.001
2011-01-04 02:06:08 1071088 ----a-w- c:\windows\system32\temp.000
2011-01-04 02:05:48 286720 ------w- c:\windows\Setup1.exe
2011-01-04 02:05:47 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 22:31:32 133648 ------w- c:\windows\system32\VBoxNetFltNotify.dll
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:45:50.88 ===============

Attached Files



#5 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 03 March 2011 - 09:10 PM

Note: I have also attempted Rootkit Unhooker. Its log is attached to this post.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-03 18:41:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000077 MAXTOR_STM3250820AS rev.3.AAE
Running: 9lpkuwls.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugtdrpow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[332] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP D2000025
.text C:\WINDOWS\Explorer.EXE[332] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP D4000025
.text C:\WINDOWS\Explorer.EXE[332] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP B9000025
.text C:\WINDOWS\Explorer.EXE[332] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP D7000025
.text C:\WINDOWS\Explorer.EXE[332] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP DA000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 81000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 88000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 91000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!send 71AB4C27 8 Bytes JMP 8E000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP D9000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 85000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!recv 71AB676F 8 Bytes JMP 9D000025
.text C:\WINDOWS\Explorer.EXE[332] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 8B000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 49000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 4F000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 4C000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 52000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 55000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 03000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 09000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 33000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!send 71AB4C27 8 Bytes JMP 0F000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 43000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 06000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!recv 71AB676F 8 Bytes JMP 46000025
.text C:\WINDOWS\SOUNDMAN.EXE[2072] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 0C000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 4B000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 51000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 4E000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 54000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 57000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 05000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 0B000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 35000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!send 71AB4C27 8 Bytes JMP 32000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 45000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 08000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!recv 71AB676F 8 Bytes JMP 48000025
.text C:\WINDOWS\system32\atiptaxx.exe[2084] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 2F000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 56000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 5C000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 59000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 5F000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 62000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 31000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 37000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 40000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!send 71AB4C27 8 Bytes JMP 3D000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 50000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 34000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!recv 71AB676F 8 Bytes JMP 53000025
.text C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe[2192] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 3A000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 9F000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP A5000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP A2000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP A8000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP AB000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 7A000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 80000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 89000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!send 71AB4C27 8 Bytes JMP 86000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 99000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP F1FFEEEE
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!recv 71AB676F 8 Bytes JMP 9C000025
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2260] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 83000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 88000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 8E000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 8B000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 91000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 94000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 63000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 69000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 72000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!send 71AB4C27 8 Bytes JMP 6F000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 82000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 66000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!recv 71AB676F 8 Bytes JMP 85000025
.text C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe[2380] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 6C000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 3C000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 42000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 3F000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 45000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 48000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP D6000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP DC000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 26000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!send 71AB4C27 8 Bytes JMP 23000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 36000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP D9000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!recv 71AB676F 8 Bytes JMP 39000025
.text C:\Program Files\Netropa\Onscreen Display\OSD.exe[2388] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 20000025
.text C:\WINDOWS\Mixer.exe[2504] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 0E000025
.text C:\WINDOWS\Mixer.exe[2504] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 14000025
.text C:\WINDOWS\Mixer.exe[2504] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 11000025
.text C:\WINDOWS\Mixer.exe[2504] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 17000025
.text C:\WINDOWS\Mixer.exe[2504] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 1A000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E9000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP EF000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F8000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!send 71AB4C27 8 Bytes JMP F5000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 08000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!gethostbyname 71AB5355 6 Bytes JMP EC000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!gethostbyname + 7 71AB535C 1 Byte [03]
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!recv 71AB676F 8 Bytes JMP 0B000025
.text C:\WINDOWS\Mixer.exe[2504] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP F2000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 2E000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 34000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 31000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 37000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 3A000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C8000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP CE000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 18000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!send 71AB4C27 8 Bytes JMP 15000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 28000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP CB000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!recv 71AB676F 8 Bytes JMP 2B000025
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2620] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 12000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 09000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 0F000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 0C000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 12000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 55292341
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C8000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP E9000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F2000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!send 71AB4C27 8 Bytes JMP EF000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 03000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP E6000025
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!recv 71AB676F 8 Bytes [55, 90, FF, 25, 00, 00, 06, ...] {PUSH EBP; NOP ; JMP [0x1060000]}
.text C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe[2828] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP EC000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 2E000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 34000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 31000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 37000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 3A000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP CF000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 0F000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 18000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!send 71AB4C27 8 Bytes JMP 15000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 28000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP D3000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!recv 71AB676F 8 Bytes JMP 2B000025
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3132] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 12000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 44000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 4A000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 47000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 4D000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 1F000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 25000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP 2E000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!send 71AB4C27 8 Bytes JMP 2B000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 65007200
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 22000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!recv 71AB676F 8 Bytes JMP 41000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 28000025
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3180] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 50000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP F6000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP FC000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP F9000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP FF000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 02000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP C9000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP CF000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP D8000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!send 71AB4C27 8 Bytes JMP D5000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP F0000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP CC000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!recv 71AB676F 8 Bytes JMP F3000025
.text C:\WINDOWS\system32\ctfmon.exe[3976] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP D2000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP B7000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP BD000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP BA000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP C0000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP C3000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP 2F000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP 98000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP A1000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!send 71AB4C27 8 Bytes JMP 9E000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP B1000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP 95000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!recv 71AB676F 8 Bytes JMP B4000025
.text C:\Documents and Settings\Administrator\My Documents\Downloads\9lpkuwls.exe[5536] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP 9B000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] USER32.dll!TranslateMessage 7E418BF6 8 Bytes JMP 3B000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] USER32.dll!GetMessageW 7E4191C6 8 Bytes JMP 41000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] USER32.dll!GetMessageA 7E42772B 8 Bytes JMP 65007200
.text C:\WINDOWS\system32\wuauclt.exe[5848] USER32.dll!GetClipboardData 7E430DBA 8 Bytes JMP 44000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] CRYPT32.dll!PFXImportCertStore 77AEFF8F 8 Bytes JMP 4F000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!getaddrinfo 71AB2A6F 8 Bytes JMP E5000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!inet_addr 71AB2EE1 8 Bytes JMP EE000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!sendto 71AB2F51 8 Bytes JMP F7000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!send 71AB4C27 8 Bytes JMP F4000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!WSARecv 71AB4CB5 8 Bytes JMP 08000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!gethostbyname 71AB5355 8 Bytes JMP EB000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!recv 71AB676F 8 Bytes JMP 0B000025
.text C:\WINDOWS\system32\wuauclt.exe[5848] WS2_32.dll!WSASend 71AB68FA 8 Bytes JMP F1000025

---- Threads - GMER 1.0.15 ----

Thread System [4:360] 8A0310D2
Thread System [4:372] 8A030E6F

---- EOF - GMER 1.0.15 ----

Attached Files



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 05 March 2011 - 09:11 AM

Hello, O_O_L.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1


You do have signs of malware in your logs. Let's start with Combofix.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 05 March 2011 - 11:06 AM

Dear etavares,

Thank you for taking up my log/thread.

First: I forgot to rename the ComboFix.exe – I ran it just as it was. Do you want me to re-run it??

I disabled Avira using the method described in the link you posted (i.e. Right Click on the icon in the system tray and uncheck the option AntiVir Guard enable).

I then closed all the programs that I could. Finally, I ran ComboFix. The following is the ComboFix log i.e. C:\ComboFix.txt

ComboFix 11-03-04.06 - Administrator 03/05/2011 9:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2286 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}
c:\documents and settings\Administrator\Local Settings\Application Data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{8A0BCE3C-9EBA-4F08-B3E9-58D0B3DB20ED}\install.rdf
c:\documents and settings\Administrator\RootkitRevealer.exe
c:\program files\driver
c:\windows\jestertb.dll
c:\windows\ST6UNST.000
c:\windows\system32\Cache
.
.
((((((((((((((((((((((((( Files Created from 2011-02-05 to 2011-03-05 )))))))))))))))))))))))))))))))
.
.
2011-03-05 15:33 . 2011-03-05 15:33 -------- d-----w- C:\32788R22FWJFW.0.tmp
2011-03-05 15:32 . 2011-03-05 15:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2011-03-05 03:59 . 2011-03-05 03:59 -------- d-----w- c:\windows\LastGood
2011-03-04 01:36 . 2011-01-10 20:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-04 01:36 . 2011-01-10 20:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-04 01:36 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-04 01:36 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-04 01:36 . 2011-03-04 01:36 -------- d-----w- c:\program files\Avira
2011-03-04 01:36 . 2011-03-04 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-03-03 02:20 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-03-02 00:42 . 2011-03-02 00:42 -------- d-----w- c:\program files\Runtime Software
2011-02-26 03:52 . 2011-02-26 03:52 -------- d-----w- c:\program files\Sophos
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-24 02:49 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-24 02:49 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-20 03:43 . 2011-02-24 19:27 0 ----a-w- c:\windows\Bmepipejideduva.bin
2011-02-20 03:41 . 2011-02-20 03:41 76288 --sha-r- c:\windows\system32\diskperf7.dll
2011-02-20 03:37 . 2011-03-03 01:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2011-02-20 03:37 . 2011-02-20 03:37 -------- d-----w- c:\program files\CheckPoint
2011-02-19 20:19 . 2011-02-19 20:19 -------- d-----w- c:\program files\SystemRequirementsLab
2011-02-19 20:18 . 2011-02-19 20:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2011-02-13 22:06 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-11 04:28 . 2011-02-11 04:28 -------- d-----w- c:\program files\D-Link
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-28 22:11 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2001-08-18 07:30 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-04 02:06 . 2011-01-04 02:06 11070976 ----a-w- c:\windows\system32\temp.001
2011-01-04 02:06 . 2011-01-04 02:06 1071088 ----a-w- c:\windows\system32\temp.000
2011-01-04 02:05 . 2011-01-04 02:05 286720 ------w- c:\windows\Setup1.exe
2011-01-04 02:05 . 2011-01-04 02:05 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-12-31 13:10 . 2002-08-28 20:44 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 22:31 . 2009-12-17 22:02 109328 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-12-22 22:31 . 2008-09-20 00:50 42960 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-12-22 22:31 . 2008-09-20 00:50 158736 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-12-22 22:31 . 2010-12-22 22:31 133648 ------w- c:\windows\system32\VBoxNetFltNotify.dll
2010-12-22 12:34 . 2002-08-28 22:11 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2002-08-28 22:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-28 22:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2002-08-28 22:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2002-08-28 22:11 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2007-09-14 00:57 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-08-28 22:10 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-28 22:10 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2002-08-28 19:34 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-02-28 20:30 . 2008-06-25 02:48 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 20:33 . 2008-06-25 02:48 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-09 39408]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-14 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AtiPTA"="atiptaxx.exe" [2002-06-27 286720]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-09-30 425984]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"jEdit Server"="c:\program files\Java\jdk1.6.0_02\bin\javaw.exe" [2007-07-12 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-12 1505144]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-10-13 25214]
Bluetooth.lnk - c:\program files\IOGEAR\Bluetooth Software\BTTray.exe [2005-5-31 577597]
Caps.exe.lnk - c:\include\Caps.exe [2008-1-24 203523]
connect_vpn.exe.lnk - c:\include\connect_vpn.exe [2010-10-6 201646]
logmein.exe.lnk - c:\include\logmein.exe [2008-7-20 201630]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2009-9-28 41051]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2007-9-22 12584112]
PowerMenu.exe.lnk - c:\include\PowerMenu\PowerMenu.exe [2006-10-19 57344]
wiki.exe.lnk - c:\include\wiki.exe [2009-5-30 201535]
window_handling.exe.lnk - c:\include\window_handling.exe [2009-1-23 201856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Eclipse\\eclipse.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\MATLAB\\R2006a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"d:\\WorldLingoEclipse\\eclipse.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
"22:TCP"= 22:TCP:*:Disabled:SSH
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"1194:UDP"= 1194:UDP:OpenVPN
"2222:TCP"= 2222:TCP:WinXP Remote Desktop
"5022:TCP"= 5022:TCP:Remote Desktop
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 7:40 AM 15328]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [9/13/2007 7:04 PM 13696]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [9/17/2007 12:39 PM 6656]
R1 oekhlsx;oekhlsx;c:\windows\system32\drivers\oekhlsx.sys [8/28/2002 2:43 PM 316832]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/19/2008 6:50 PM 158736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/19/2008 6:50 PM 42960]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/3/2011 7:36 PM 135336]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/6/2010 9:31 AM 1238408]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/27/2009 3:26 AM 202584]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 7:40 AM 220128]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/17/2009 4:02 PM 109328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 5:40 PM 135664]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [9/17/2007 12:39 PM 28672]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [5/27/2009 3:26 AM 13672]
S2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [9/27/2007 10:37 AM 43008]
S3 04BF5A78;04BF5A78;c:\windows\system32\04BF5A78.exe --> c:\windows\system32\04BF5A78.exe [?]
S3 17E90CA4;17E90CA4;c:\windows\system32\17E90CA4.exe --> c:\windows\system32\17E90CA4.exe [?]
S3 6D5CCC9B;6D5CCC9B;c:\windows\system32\6D5CCC9B.exe --> c:\windows\system32\6D5CCC9B.exe [?]
S3 85547B01;85547B01;c:\windows\system32\85547B01.exe --> c:\windows\system32\85547B01.exe [?]
S3 86CF121D;86CF121D;c:\windows\system32\86CF121D.exe --> c:\windows\system32\86CF121D.exe [?]
S3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [9/28/2009 11:41 PM 24645]
S3 atm6124;atm6124.Sys ATMEL USB SAMBA Driver;c:\windows\system32\Drivers\atm6124.sys --> c:\windows\system32\Drivers\atm6124.sys [?]
S3 DDZ;DDZ;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DDZ.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DDZ.exe [?]
S3 JGJBM;JGJBM;c:\docume~1\ADMINI~1\LOCALS~1\Temp\JGJBM.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\JGJBM.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\30.tmp --> c:\windows\system32\30.tmp [?]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [5/9/2009 10:50 PM 1693128]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VMXOTANV;VMXOTANV;c:\docume~1\ADMINI~1\LOCALS~1\Temp\VMXOTANV.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\VMXOTANV.exe [?]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [12/2/2006 4:10 AM 48128]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [3/5/2010 1:14 PM 23480]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [10/18/2007 3:08 AM 20224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 23:40]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 23:40]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-17 00:00]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-17 00:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;rio
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: EZ Drag-n-Drop: ezdragndrop@erika - %profile%\extensions\ezdragndrop@erika
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-CmPCIaudio - CMICNFG3.CPL
SafeBoot-oekhlsx
AddRemove-ActiveTouchMeetingClient - c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Google\Chrome\APPLIC~1\plugins\atcliun.exe
AddRemove-KB955706_DTS9 - c:\windows\DTS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_NS9 - c:\windows\NS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_OLAP9 - c:\windows\OLAP9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_RS9 - c:\windows\RS9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQL9 - c:\windows\SQL9_KB955706_ENU\Hotfix.exe
AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 09:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\30.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-329068152-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,3d,f2,0e,bc,ca,5d,4e,94,ad,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,3d,f2,0e,bc,ca,5d,4e,94,ad,5e,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-05 09:47:52
ComboFix-quarantined-files.txt 2011-03-05 15:47
.
Pre-Run: 930,979,840 bytes free
Post-Run: 1,002,754,048 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 187048A05387AA07B60CE173CC25A324

Note: I was under the impression that ComboFix would restart and do something in the Recovery Console. This did not happen. My computer did not automatically restart??

Thanks again for your help,
O. O.

#8 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 05 March 2011 - 08:33 PM

Update: A lot of the symptoms that I was experiencing previously seem to be gone (at least in the last few hours). I had however to reset my internet connection - guess ComboFix messed that up.

I would however like to add that Google seems particularly slow to me - but yahoo is fine.

After restarting my computer I did the Malwarebytes Anti-Malware full scan – and it seems to be OK. My Anti-virus Avira was enabled while this was running, and during the MBAM scan it complained:

C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\organizer70\files.MYD
Contains recognition pattern of the EXP/Pidief.dey exploit.
Action: Move to quarantine


I uploaded the files.MYD file to Virus Total and all of the 40+ Anti-Virus found it OK, except Avira, so I asked Avira to ignore it.

My MBAM Log: (MBAM did a update just before I started the scan).

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5968

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/5/2011 7:08:25 PM
mbam-log-2011-03-05 (19-08-25).txt

Scan type: Full scan (C:\|D:\|E:\|I:\|)
Objects scanned: 657820
Time elapsed: 3 hour(s), 29 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by O_O_L, 05 March 2011 - 08:43 PM.


#9 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 05 March 2011 - 10:37 PM

Update: I have a laptop here. I dont have a router - the cable from the modem goes directly into the desktop. I have set up a ad-hoc network between the laptop and the desktop, and share my internet connection with this ad-hoc network.

Now, I can connect to Google just fine from the laptop. This connection suprisingly goes through the Desktop and then through the modem. So my connection is fine - but for some reason I can never login to Google Mail on the Desktop. I used FireFox to test this - both on the Laptop as well as the Desktop.

I have no clue what is the cause of this? Should I re-install the browser i.e. FireFox??

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 06 March 2011 - 12:07 PM

Hello, O_O_L.

I'ts ok that you forgot to rename it...since it ran, there is no need to rename it. Thanks for asking.

The Goored infection was removed, so the redirects should be gone.

There's still malware left on this machine. We'll tackle the other issue after this fix. Now, is this computer we're working on the laptop or the desktop?



ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. We can reinstall it when we're done with CF. Please let me know if you do uninstall it.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Driver::
04BF5A78
17E90CA4
6D5CCC9B
85547B01
86CF121D
DDZ
JGJBM
MEMSWEEP2
oekhlsx
File::
c:\windows\system32\04bf5a78.exe
c:\windows\system32\30.tmp
c:\docume~1\admini~1\locals~1\temp\JGJBM.exe
c:\docume~1\admini~1\locals~1\temp\DDZ.exe
c:\windows\system32\86cf121d.exe
c:\windows\system32\85547b01.exe
c:\windows\system32\6d5ccc9b.exe
c:\windows\system32\17e90ca4.exe
c:\windows\Bmepipejideduva.bin
c:\windows\system32\diskperf7.dll
c:\windows\system32\drivers\oekhlsx.sys
Folder::
c:\docume~1\admini~1\locals~1\applic~1\Conduit
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:0000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=0
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;rio
RegLock::
[HKEY_USERS\S-1-5-21-1757981266-329068152-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 07 March 2011 - 09:39 AM

Dear etavares,

I am sorry I could not get to this yesterday. I was away from my home all day. I would follow your instructions when I get home today (approx. 6 PM CST).

The infected computer is a Desktop.

To the best of my knowledge, I don’t have AVG – I have Avira? Do you want me to uninstall this? I can disable it if you want and try.

Thanks a lot for your help,
O. O.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 07 March 2011 - 06:32 PM

OK, I'll keep an eye out. I may not be able to reply until tomorrow, though. You don't need to uninstall Avira. That's a standard warning I accidentally forgot to turn off/delete when I posted.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 07 March 2011 - 07:49 PM

Thanks etavares. Take your time in replying, I guess I am almost done (I hope – fingers crossed. :tvhorror: )

I disabled Avira, and closed whatever programs I could. I ran ComboFix as you suggested. It seemed to first update – which I let it. It scanned my computer for a while – and I left it to itself. When I came back it complained about not being able to delete something. I did not note the names of these – and I don’t even recall if they were files or folders. In the end ComboFix restarted my computer. However when starting up i.e. after reboot, all of my programs that normally start up, started to. So everything was running when the computer rebooted. I am not sure if this is going to be a problem.

Thanks again for your help. Let me know what I should do next.
Regards,
O. O.



ComboFix 11-03-07.02 - Administrator 03/07/2011 18:03:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2317 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\docume~1\admini~1\locals~1\temp\DDZ.exe"
"c:\docume~1\admini~1\locals~1\temp\JGJBM.exe"
"c:\windows\Bmepipejideduva.bin"
"c:\windows\system32\04bf5a78.exe"
"c:\windows\system32\17e90ca4.exe"
"c:\windows\system32\30.tmp"
"c:\windows\system32\6d5ccc9b.exe"
"c:\windows\system32\85547b01.exe"
"c:\windows\system32\86cf121d.exe"
"c:\windows\system32\diskperf7.dll"
"c:\windows\system32\drivers\oekhlsx.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\admini~1\locals~1\applic~1\Conduit
c:\docume~1\admini~1\locals~1\applic~1\Conduit\Toolbar\Facebook\http___facebook_conduit-services_com_Settings_ashx_locale=en&browserType=IE&toolbarVersion=5_7_4_0.xml
c:\windows\Bmepipejideduva.bin
c:\windows\system32\diskperf7.dll
c:\windows\system32\drivers\oekhlsx.sys
c:\windows\system32\LogFiles
c:\windows\system32\LogFiles\Apache\20090816.log
c:\windows\system32\LogFiles\authdiag\01_Jul_2010_16_39_51_GMT\diag_001.xml
c:\windows\system32\LogFiles\authdiag\01_Jul_2010_16_39_51_GMT\diag_002.xml
c:\windows\system32\LogFiles\authdiag\01_Jul_2010_16_39_51_GMT\diag_003.xml
c:\windows\system32\LogFiles\authdiag\01_Jul_2010_16_39_51_GMT\diag_004.xml
c:\windows\system32\LogFiles\authdiag\05_May_2010_22_48_20_GMT\diag_001.xml
c:\windows\system32\LogFiles\authdiag\05_May_2010_22_48_20_GMT\diag_002.xml
c:\windows\system32\LogFiles\authdiag\30_Mar_2010_02_35_20_GMT\diag_001.xml
c:\windows\system32\LogFiles\authdiag\30_Mar_2010_02_35_20_GMT\diag_002.xml
c:\windows\system32\LogFiles\authdiag\30_Mar_2010_02_38_05_GMT\diag_001.xml
c:\windows\system32\LogFiles\HTTPERR\httperr1.log
c:\windows\system32\LogFiles\W3SVC1\ex100504.log
c:\windows\system32\LogFiles\W3SVC1\ex100505.log
c:\windows\system32\LogFiles\W3SVC1\ex100506.log
c:\windows\system32\LogFiles\W3SVC1\ex100508.log
c:\windows\system32\LogFiles\W3SVC1\ex100509.log
c:\windows\system32\LogFiles\W3SVC1\ex100510.log
c:\windows\system32\LogFiles\W3SVC1\ex100512.log
c:\windows\system32\LogFiles\W3SVC1\ex100513.log
c:\windows\system32\LogFiles\W3SVC1\ex100514.log
c:\windows\system32\LogFiles\W3SVC1\ex100522.log
c:\windows\system32\LogFiles\W3SVC1\ex100523.log
c:\windows\system32\LogFiles\W3SVC1\ex100527.log
c:\windows\system32\LogFiles\W3SVC1\ex100531.log
c:\windows\system32\LogFiles\W3SVC1\ex100610.log
c:\windows\system32\LogFiles\W3SVC1\ex100622.log
c:\windows\system32\LogFiles\W3SVC1\ex100629.log
c:\windows\system32\LogFiles\W3SVC1\ex100630.log
c:\windows\system32\LogFiles\W3SVC1\ex100701.log
c:\windows\system32\LogFiles\W3SVC1\ex100704.log
c:\windows\system32\LogFiles\W3SVC1\ex100705.log
c:\windows\system32\LogFiles\W3SVC1\ex100706.log
c:\windows\system32\LogFiles\W3SVC1\ex100708.log
c:\windows\system32\LogFiles\W3SVC1\ex100709.log
c:\windows\system32\LogFiles\W3SVC1\ex100710.log
c:\windows\system32\LogFiles\W3SVC1\ex100718.log
c:\windows\system32\LogFiles\W3SVC1\ex100721.log
c:\windows\system32\LogFiles\W3SVC1\ex100722.log
c:\windows\system32\LogFiles\W3SVC1\ex100723.log
c:\windows\system32\LogFiles\W3SVC1\ex100725.log
c:\windows\system32\LogFiles\W3SVC1\ex100726.log
c:\windows\system32\LogFiles\W3SVC1\ex100727.log
c:\windows\system32\LogFiles\W3SVC1\ex100728.log
c:\windows\system32\LogFiles\W3SVC1\ex100729.log
c:\windows\system32\LogFiles\W3SVC1\ex100730.log
c:\windows\system32\LogFiles\W3SVC1\ex100801.log
c:\windows\system32\LogFiles\W3SVC1\ex100802.log
c:\windows\system32\LogFiles\W3SVC1\ex100803.log
c:\windows\system32\LogFiles\W3SVC1\ex100804.log
c:\windows\system32\LogFiles\W3SVC1\ex100805.log
c:\windows\system32\LogFiles\W3SVC1\ex100809.log
c:\windows\system32\LogFiles\W3SVC1\ex100810.log
c:\windows\system32\LogFiles\W3SVC1\ex100811.log
c:\windows\system32\LogFiles\W3SVC1\ex100812.log
c:\windows\system32\LogFiles\W3SVC1\ex100814.log
c:\windows\system32\LogFiles\W3SVC1\ex100815.log
c:\windows\system32\LogFiles\W3SVC1\ex100816.log
c:\windows\system32\LogFiles\W3SVC1\ex100817.log
c:\windows\system32\LogFiles\W3SVC1\ex100818.log
c:\windows\system32\LogFiles\W3SVC1\ex100819.log
c:\windows\system32\LogFiles\W3SVC1\ex100820.log
c:\windows\system32\LogFiles\W3SVC1\ex100821.log
c:\windows\system32\LogFiles\W3SVC1\ex100822.log
c:\windows\system32\LogFiles\W3SVC1\ex100823.log
c:\windows\system32\LogFiles\W3SVC1\ex100824.log
c:\windows\system32\LogFiles\W3SVC1\ex100825.log
c:\windows\system32\LogFiles\W3SVC1\ex100826.log
c:\windows\system32\LogFiles\W3SVC1\ex100827.log
c:\windows\system32\LogFiles\W3SVC1\ex100828.log
c:\windows\system32\LogFiles\W3SVC1\ex100829.log
c:\windows\system32\LogFiles\W3SVC1\ex100830.log
c:\windows\system32\LogFiles\W3SVC1\ex100831.log
c:\windows\system32\LogFiles\W3SVC1\ex100901.log
c:\windows\system32\LogFiles\W3SVC1\ex100902.log
c:\windows\system32\LogFiles\W3SVC1\ex100903.log
c:\windows\system32\LogFiles\W3SVC1\ex100906.log
c:\windows\system32\LogFiles\W3SVC1\ex100907.log
c:\windows\system32\LogFiles\W3SVC1\ex100908.log
c:\windows\system32\LogFiles\W3SVC1\ex100912.log
c:\windows\system32\LogFiles\W3SVC1\ex100913.log
c:\windows\system32\LogFiles\W3SVC1\ex100917.log
c:\windows\system32\LogFiles\W3SVC1\ex100922.log
c:\windows\system32\LogFiles\W3SVC1\ex100930.log
c:\windows\system32\LogFiles\W3SVC1\ex101001.log
c:\windows\system32\LogFiles\W3SVC1\ex101005.log
c:\windows\system32\LogFiles\W3SVC1\ex101007.log
c:\windows\system32\LogFiles\W3SVC1\ex101008.log
c:\windows\system32\LogFiles\W3SVC1\ex101009.log
c:\windows\system32\LogFiles\W3SVC1\ex101011.log
c:\windows\system32\LogFiles\W3SVC1\ex101013.log
c:\windows\system32\LogFiles\W3SVC1\ex101014.log
c:\windows\system32\LogFiles\W3SVC1\ex101015.log
c:\windows\system32\LogFiles\W3SVC1\ex101016.log
c:\windows\system32\LogFiles\W3SVC1\ex101019.log
c:\windows\system32\LogFiles\W3SVC1\ex101020.log
c:\windows\system32\LogFiles\W3SVC1\ex101025.log
c:\windows\system32\LogFiles\W3SVC1\ex101029.log
c:\windows\system32\LogFiles\W3SVC1\ex101030.log
c:\windows\system32\LogFiles\W3SVC1\ex101101.log
c:\windows\system32\LogFiles\W3SVC1\ex101102.log
c:\windows\system32\LogFiles\W3SVC1\ex101103.log
c:\windows\system32\LogFiles\W3SVC1\ex101108.log
c:\windows\system32\LogFiles\W3SVC1\ex101109.log
c:\windows\system32\LogFiles\W3SVC1\ex101112.log
c:\windows\system32\LogFiles\W3SVC1\ex101113.log
c:\windows\system32\LogFiles\W3SVC1\ex101116.log
c:\windows\system32\LogFiles\W3SVC1\ex101117.log
c:\windows\system32\LogFiles\W3SVC1\ex101122.log
c:\windows\system32\LogFiles\W3SVC1\ex101128.log
c:\windows\system32\LogFiles\W3SVC1\ex101204.log
c:\windows\system32\LogFiles\W3SVC1\ex101222.log
c:\windows\system32\LogFiles\W3SVC1\ex110223.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Legacy_04BF5A78
-------\Legacy_17E90CA4
-------\Legacy_6D5CCC9B
-------\Legacy_85547B01
-------\Legacy_86CF121D
-------\Legacy_DDZ
-------\Legacy_JGJBM
-------\Legacy_MEMSWEEP2
-------\Legacy_OEKHLSX
-------\Service_04BF5A78
-------\Service_17E90CA4
-------\Service_6D5CCC9B
-------\Service_85547B01
-------\Service_86CF121D
-------\Service_DDZ
-------\Service_JGJBM
-------\Service_MEMSWEEP2
-------\Service_oekhlsx
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-05 15:32 . 2011-03-05 15:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2011-03-04 01:36 . 2011-01-10 20:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-04 01:36 . 2011-01-10 20:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-04 01:36 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-04 01:36 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-04 01:36 . 2011-03-04 01:36 -------- d-----w- c:\program files\Avira
2011-03-04 01:36 . 2011-03-04 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-03-03 02:20 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-03-02 00:42 . 2011-03-02 00:42 -------- d-----w- c:\program files\Runtime Software
2011-02-26 03:52 . 2011-02-26 03:52 -------- d-----w- c:\program files\Sophos
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-02-24 02:49 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-24 02:49 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 02:49 . 2011-02-24 02:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-20 03:37 . 2011-02-20 03:37 -------- d-----w- c:\program files\CheckPoint
2011-02-19 20:19 . 2011-02-19 20:19 -------- d-----w- c:\program files\SystemRequirementsLab
2011-02-19 20:18 . 2011-02-19 20:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2011-02-13 22:06 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-02-11 04:28 . 2011-02-11 04:28 -------- d-----w- c:\program files\D-Link
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-28 22:11 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2001-08-18 07:30 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-04 02:06 . 2011-01-04 02:06 11070976 ----a-w- c:\windows\system32\temp.001
2011-01-04 02:06 . 2011-01-04 02:06 1071088 ----a-w- c:\windows\system32\temp.000
2011-01-04 02:05 . 2011-01-04 02:05 286720 ------w- c:\windows\Setup1.exe
2011-01-04 02:05 . 2011-01-04 02:05 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-12-31 13:10 . 2002-08-28 20:44 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 22:31 . 2009-12-17 22:02 109328 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2010-12-22 22:31 . 2008-09-20 00:50 42960 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2010-12-22 22:31 . 2008-09-20 00:50 158736 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2010-12-22 22:31 . 2010-12-22 22:31 133648 ------w- c:\windows\system32\VBoxNetFltNotify.dll
2010-12-22 12:34 . 2002-08-28 22:11 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2002-08-28 22:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-28 22:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2002-08-28 22:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2002-08-28 22:11 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2007-09-14 00:57 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-08-28 22:10 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-28 22:10 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2002-08-28 19:34 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-02-28 20:30 . 2008-06-25 02:48 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 20:33 . 2008-06-25 02:48 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-09 39408]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-14 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AtiPTA"="atiptaxx.exe" [2002-06-27 286720]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-09-30 425984]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"C-Media Mixer"="Mixer.exe" [2002-07-12 1581056]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"jEdit Server"="c:\program files\Java\jdk1.6.0_02\bin\javaw.exe" [2007-07-12 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-12 1505144]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-12-06 1910152]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-10-13 25214]
Bluetooth.lnk - c:\program files\IOGEAR\Bluetooth Software\BTTray.exe [2005-5-31 577597]
Caps.exe.lnk - c:\include\Caps.exe [2008-1-24 203523]
connect_vpn.exe.lnk - c:\include\connect_vpn.exe [2010-10-6 201646]
logmein.exe.lnk - c:\include\logmein.exe [2008-7-20 201630]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2009-9-28 41051]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2007-9-22 12587696]
PowerMenu.exe.lnk - c:\include\PowerMenu\PowerMenu.exe [2006-10-19 57344]
wiki.exe.lnk - c:\include\wiki.exe [2009-5-30 201535]
window_handling.exe.lnk - c:\include\window_handling.exe [2009-1-23 201856]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_02\\jre\\bin\\java.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Eclipse\\eclipse.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\MATLAB\\R2006a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"d:\\WorldLingoEclipse\\eclipse.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
"22:TCP"= 22:TCP:*:Disabled:SSH
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"1194:UDP"= 1194:UDP:OpenVPN
"2222:TCP"= 2222:TCP:WinXP Remote Desktop
"5022:TCP"= 5022:TCP:Remote Desktop
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 7:40 AM 15328]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [9/13/2007 7:04 PM 13696]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [9/17/2007 12:39 PM 6656]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/19/2008 6:50 PM 158736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/19/2008 6:50 PM 42960]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/3/2011 7:36 PM 135336]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/6/2010 9:31 AM 1238408]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [5/27/2009 3:26 AM 202584]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [9/17/2007 12:39 PM 28672]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 7:40 AM 220128]
R2 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [9/27/2007 10:37 AM 43008]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/17/2009 4:02 PM 109328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 5:40 PM 135664]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [5/27/2009 3:26 AM 13672]
S3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [9/28/2009 11:41 PM 24645]
S3 atm6124;atm6124.Sys ATMEL USB SAMBA Driver;c:\windows\system32\Drivers\atm6124.sys --> c:\windows\system32\Drivers\atm6124.sys [?]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [5/9/2009 10:50 PM 1693128]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 VMXOTANV;VMXOTANV;c:\docume~1\ADMINI~1\LOCALS~1\Temp\VMXOTANV.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\VMXOTANV.exe [?]
S3 VSPerfDrv;Performance Tools Driver;c:\program files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [12/2/2006 4:10 AM 48128]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [3/5/2010 1:14 PM 23480]
S3 XilinxFirmwareLoader;XilinxFirmwareLoader;c:\windows\system32\drivers\xusbdfwu.sys [10/18/2007 3:08 AM 20224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 23:40]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 23:40]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-17 00:00]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-17 00:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: EZ Drag-n-Drop: ezdragndrop@erika - %profile%\extensions\ezdragndrop@erika
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 18:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\include\PowerMenu\PowerMenuHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IOGEAR\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\atiptaxx.exe
c:\windows\Mixer.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Netropa\Multimedia Keyboard\TrayMon.exe
c:\program files\Netropa\Onscreen Display\OSD.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\cygwin\usr\sbin\sshd.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2011-03-07 18:34:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-08 00:34
ComboFix2.txt 2011-03-05 15:47
.
Pre-Run: 138,051,584 bytes free
Post-Run: 914,780,160 bytes free
.
- - End Of File - - 9AA109E22E69A0A69BD4FA0E12E285A1

Edited by O_O_L, 07 March 2011 - 07:50 PM.


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 08 March 2011 - 07:04 PM

Hello, O_O_L.
Looking better. Are you still getting redirects?

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 O_O_L

O_O_L
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 08 March 2011 - 09:21 PM

Dear etavares,

I followed your instructions. Below is the OTL.Txt, and in the following post I would have Extras.Txt.

OTL.exe seemed to have a lot more options than just what you mentioned. I left all of them at the default. (Extra Registry seemed to have Use Safelist already selected.) I then closed all my applications and disabled my Anti-virus, before running OTL.

How’s my Computer:
I think that my computer is doing good. I think the issue with the Redirects got resolved the very first time I ran ComboFix. After this I noticed that I could not log into Gmail, and Google Maps was very very slow.

After the second time I ran ComboFix (using the script that you created in the post above) the issue with the browser seems to have gone. As I mentioned before, I use FireFox. Just after this fix, FireFox automatically updated to 3.6.15 version. I am not sure if it is the Fix or the updating of FireFox, but now I can log into Gmail, and use GoogleMaps without any problems.

I am finding my internet connection a bit slow – but I can never be sure of this, because I moved recently (from the west coast, to almost the east coast.) I don’t think this is a problem though.

Thanks a lot for your help,
O. O.


OTL logfile created on: 3/8/2011 7:41:57 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 40.00 Gb Total Space | 0.78 Gb Free Space | 1.96% Space Free | Partition Type: NTFS
Drive D: | 48.22 Gb Total Space | 2.49 Gb Free Space | 5.17% Space Free | Partition Type: NTFS
Drive E: | 144.66 Gb Total Space | 79.40 Gb Free Space | 54.89% Space Free | Partition Type: NTFS
Drive I: | 931.51 Gb Total Space | 264.59 Gb Free Space | 28.40% Space Free | Partition Type: NTFS

Computer Name: RIO | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/08 19:36:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/01/10 14:23:41 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/01/10 14:23:30 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/01/10 14:23:29 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/09/28 07:02:58 | 000,220,128 | ---- | M] () -- C:\Program Files\Macrium\Reflect\ReflectService.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/08 03:49:52 | 000,285,184 | ---- | M] () -- C:\cygwin\usr\sbin\sshd.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/06/19 03:43:56 | 000,043,008 | ---- | M] () -- C:\cygwin\bin\cygrunsrv.exe
PRC - [2005/05/31 14:23:08 | 000,258,103 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
PRC - [2002/07/12 16:33:12 | 001,581,056 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOWS\mixer.exe
PRC - [2001/08/06 07:41:48 | 000,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe


========== Modules (SafeList) ==========

MOD - [2011/03/08 19:36:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (VMXOTANV)
SRV - [2011/01/10 14:23:41 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/01/10 14:23:30 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/12/06 09:31:48 | 001,238,408 | ---- | M] (LogMeIn Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2010/09/28 07:02:58 | 000,220,128 | ---- | M] () [Auto | Running] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService)
SRV - [2009/04/03 19:07:54 | 001,693,128 | ---- | M] (UltraVNC) [On_Demand | Stopped] -- C:\Program Files\UltraVNC\WinVNC.exe -- (uvnc_service)
SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [On_Demand | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/07/29 13:10:46 | 003,201,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2006/06/19 03:43:56 | 000,043,008 | ---- | M] () [Auto | Running] -- C:\cygwin\bin\cygrunsrv.exe -- (sshd)
SRV - [2006/02/02 05:44:34 | 001,359,872 | ---- | M] () [Auto | Stopped] -- C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe -- (matlabserver)
SRV - [2005/05/31 14:23:08 | 000,258,103 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2001/08/06 07:41:48 | 000,028,672 | ---- | M] () [Auto | Running] -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- (nhksrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/01/10 14:23:53 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/01/10 14:23:53 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/12/22 16:31:36 | 000,109,328 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV - [2010/12/22 16:31:34 | 000,158,736 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2010/12/22 16:31:34 | 000,042,960 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
DRV - [2010/09/28 07:03:21 | 000,015,328 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pssnap.sys -- (pssnap)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/10/01 16:18:44 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/09/23 10:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/07/17 08:23:00 | 000,476,544 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Dr71WU.sys -- (RT73)
DRV - [2009/04/30 22:55:58 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2008/12/31 01:43:48 | 000,023,480 | ---- | M] (Wippien Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wip0204.sys -- (wip0204)
DRV - [2008/04/13 12:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/04/27 08:40:00 | 000,090,688 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/02 04:10:00 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys -- (VSPerfDrv)
DRV - [2006/09/24 07:28:47 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/06/01 07:41:28 | 000,013,184 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/06/01 07:41:26 | 000,034,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/05/19 15:44:52 | 003,965,056 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/03/22 13:31:26 | 000,007,328 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\DS1410D.SYS -- (DS1410D)
DRV - [2005/12/06 10:12:08 | 001,355,456 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmuda3.sys -- (cmuda3)
DRV - [2005/11/16 05:14:04 | 000,333,620 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2005/11/16 05:14:04 | 000,020,224 | ---- | M] (Xilinx, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusbdfwu.sys -- (XilinxFirmwareLoader)
DRV - [2005/08/18 02:52:06 | 000,093,568 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/05/31 14:16:06 | 000,401,152 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2005/05/31 14:13:34 | 001,341,466 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2005/05/31 14:11:18 | 000,030,363 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2005/05/31 14:10:32 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/05/31 14:07:56 | 000,148,040 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2005/04/12 21:34:02 | 000,414,464 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2005/04/12 21:32:42 | 000,053,376 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2005/04/04 12:36:52 | 000,009,887 | ---- | M] (Ken Kato) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\Administrator\My Documents\vfd21-080206\vfd.sys -- (VirtualFD)
DRV - [2005/03/16 00:23:54 | 000,013,696 | R--- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)
DRV - [2004/08/03 23:29:28 | 000,327,040 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2002/07/16 10:58:12 | 000,379,726 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - [2001/12/20 10:02:12 | 000,006,656 | ---- | M] (Netropa Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Msikbd2k.sys -- (msikbd2k)
DRV - [2001/08/17 14:53:42 | 000,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\loop.sys -- (msloop)
DRV - [1996/04/03 13:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}:5.0.16
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.608
FF - prefs.js..extensions.enabledItems: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}:7.1.1.2
FF - prefs.js..extensions.enabledItems: autofillForms@blueimp.net:0.9.8.0
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2
FF - prefs.js..extensions.enabledItems: ezdragndrop@erika:1.0
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/08 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/08 11:36:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/03/07 18:27:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/23 22:16:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/03/23 22:16:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/08 19:37:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions
[2010/12/29 12:08:23 | 000,000,000 | ---D | M] ("Garmin Communicator") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/09/12 13:08:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/08 19:37:22 | 000,000,000 | ---D | M] (iMacros for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
[2011/03/08 19:37:17 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2011/03/08 19:37:22 | 000,000,000 | ---D | M] (Autofill Forms) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\autofillForms@blueimp.net
[2010/08/11 15:50:48 | 000,000,000 | ---D | M] (EZ Drag-n-Drop) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\ezdragndrop@erika
[2011/03/08 19:37:21 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\firebug@software.joehewitt.com
[2010/07/02 22:13:35 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e3jiv73f.default\extensions\LogMeInClient@logmein.com
[2011/03/08 19:37:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/01 17:04:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}
[2009/08/20 22:13:48 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2005/11/29 18:28:00 | 000,626,688 | ---- | M] (ebrary) -- C:\Program Files\Mozilla Firefox\plugins\NPinfotl.dll
[2008/05/19 14:57:00 | 002,641,920 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npRACtrl.dll
[2008/02/28 14:30:00 | 000,008,784 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ractrlkeyhook.dll
[2008/02/28 14:33:00 | 000,245,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\unicows.dll

O1 HOSTS File: ([2011/03/07 18:24:04 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Microsoft Web Test Recorder Helper) - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (NTIECatcher Class) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll (Xi)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [jEdit Server] C:\Program Files\Java\jdk1.6.0_02\bin\javaw.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Caps.exe.lnk = C:\Include\Caps.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\connect_vpn.exe.lnk = C:\Include\connect_vpn.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\logmein.exe.lnk = C:\Include\logmein.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Mozilla Messaging)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerMenu.exe.lnk = C:\Include\PowerMenu\PowerMenu.exe (Thong Nguyen)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wiki.exe.lnk = C:\Include\wiki.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\window_handling.exe.lnk = C:\Include\window_handling.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html ()
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190038013296 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/12 22:01:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/08 19:36:17 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/03/05 09:37:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/05 09:34:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/05 09:34:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/05 09:34:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/05 09:34:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/05 09:34:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/05 09:33:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/05 09:32:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avira
[2011/03/03 19:37:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/03/03 19:36:42 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/03/03 19:36:42 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/03/03 19:36:42 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/03/03 19:36:42 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/03/03 19:36:41 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/03/03 19:36:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/03/02 19:44:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\tdsskiller
[2011/03/01 18:42:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Runtime Software
[2011/03/01 18:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2011/02/26 08:31:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Rootkit Unhooker LE
[2011/02/25 21:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/02/24 18:58:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\RootkitRevealer
[2011/02/23 20:49:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/02/23 20:49:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/02/23 20:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/23 20:49:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/02/23 20:49:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/02/23 20:49:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/22 20:48:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/02/21 19:24:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\HijackThis
[2011/02/19 21:37:20 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2011/02/19 20:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/02/19 14:19:04 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2011/02/19 14:18:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2011/02/10 22:28:54 | 000,000,000 | ---D | C] -- C:\Program Files\D-Link
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/08 19:36:44 | 000,000,245 | ---- | M] () -- C:\WINDOWS\Msiosd.ini
[2011/03/08 19:36:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/03/08 19:17:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500UA.job
[2011/03/08 19:05:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/08 18:05:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/08 14:06:42 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2011/03/07 23:17:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-329068152-725345543-500Core.job
[2011/03/07 18:27:45 | 000,000,427 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2011/03/07 18:24:41 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2011/03/07 18:24:04 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/07 18:23:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/07 18:23:22 | 3220,754,432 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/07 17:59:27 | 004,281,963 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/03/07 13:18:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/06 20:47:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/05 19:34:44 | 000,001,549 | ---- | M] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2011/03/05 09:38:02 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/03 19:37:00 | 000,001,717 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/03/02 16:40:58 | 049,788,256 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\avira_antivir_personal_en.exe
[2011/03/02 16:36:18 | 001,261,440 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/03/01 18:42:47 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2011/02/26 23:17:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/02/26 11:17:22 | 000,000,807 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rootkit_Revealer.zip
[2011/02/26 11:17:13 | 000,010,799 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rootkit_Unhooker_Report.zip
[2011/02/25 18:57:15 | 000,000,912 | ---- | M] () -- C:\WINDOWS\System\Cmicnfg3.ini
[2011/02/24 21:32:36 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dhayi.dat
[2011/02/24 18:58:32 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\RootkitRevealer.zip
[2011/02/24 13:49:46 | 001,376,832 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\sar_15_sfx.exe
[2011/02/19 21:37:18 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/02/18 22:16:52 | 000,001,594 | ---- | M] () -- C:\WINDOWS\VPNUnInstall.MIF
[2011/02/14 10:07:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/13 16:30:46 | 000,694,600 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/13 16:30:46 | 000,159,702 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/11 18:48:48 | 000,158,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/11 18:43:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/09 15:23:04 | 000,126,356 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\USCIS AR-11 Rio Mascarenhas.pdf
[2011/02/09 15:07:43 | 000,736,180 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Howard_Mascarenhas_H1B_Approval Notice.pdf
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/05 19:34:44 | 000,001,549 | ---- | C] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2011/03/05 09:38:02 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/05 09:37:58 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/05 09:34:49 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/05 09:34:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/05 09:34:49 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/05 09:34:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/05 09:34:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/05 09:28:57 | 004,281,963 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/03/03 19:37:00 | 000,001,717 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/03/02 20:24:49 | 3220,754,432 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/02 19:44:24 | 001,261,440 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\tdsskiller.zip
[2011/03/02 19:44:20 | 049,788,256 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\avira_antivir_personal_en.exe
[2011/03/01 18:42:47 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DriveImage XML.lnk
[2011/02/26 23:17:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/02/26 11:17:22 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rootkit_Revealer.zip
[2011/02/26 11:17:13 | 000,010,799 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rootkit_Unhooker_Report.zip
[2011/02/25 21:52:24 | 001,376,832 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\sar_15_sfx.exe
[2011/02/24 18:57:33 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\RootkitRevealer.zip
[2011/02/19 21:43:15 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dhayi.dat
[2011/02/19 21:37:18 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/02/09 15:23:04 | 000,126,356 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\USCIS AR-11 Rio Mascarenhas.pdf
[2011/02/09 15:07:43 | 000,736,180 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Howard_Mascarenhas_H1B_Approval Notice.pdf
[2010/08/02 21:23:47 | 000,091,184 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/30 16:47:54 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/06/30 16:47:54 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2010/06/30 16:47:31 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/06/30 16:47:31 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2010/06/30 16:47:31 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/01/15 17:24:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/30 22:39:36 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/01/01 15:54:58 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\nets12.dll
[2008/11/15 01:15:16 | 000,000,045 | ---- | C] () -- C:\WINDOWS\winbates.ini
[2008/11/08 21:39:22 | 000,007,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\DS1410D.SYS
[2008/11/03 20:29:54 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/02/10 04:36:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\search.INI
[2008/02/10 03:31:16 | 000,000,146 | ---- | C] () -- C:\WINDOWS\capture.INI
[2008/02/10 03:06:19 | 000,007,470 | ---- | C] () -- C:\WINDOWS\keyview.ini
[2008/01/31 00:47:58 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/11/22 11:07:23 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2007/11/08 14:51:06 | 000,023,280 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2007/10/28 01:45:00 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2007/10/28 01:17:26 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\CMRMDRV3.exe
[2007/10/28 01:17:26 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\CMRMDRV3.DLL
[2007/10/28 01:17:26 | 000,000,464 | ---- | C] () -- C:\WINDOWS\CMUDA3.ini
[2007/10/28 01:07:57 | 000,000,388 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2007/10/25 03:58:56 | 000,000,071 | ---- | C] () -- C:\WINDOWS\sc.INI
[2007/10/25 03:02:11 | 000,002,238 | ---- | C] () -- C:\WINDOWS\statecad.ini
[2007/10/21 14:48:48 | 000,004,333 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2007/10/21 14:47:20 | 000,036,932 | ---- | C] () -- C:\WINDOWS\cmijack.dat
[2007/10/21 14:47:20 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2007/10/21 14:47:20 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.dat
[2007/10/16 23:59:11 | 000,000,158 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2007/09/29 13:33:26 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2007/09/27 08:57:49 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\NMOCOD.DLL
[2007/09/27 08:57:49 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\NMCLN.EXE
[2007/09/27 08:57:45 | 000,903,168 | ---- | C] () -- C:\WINDOWS\System32\mitmdl30.dll
[2007/09/27 08:57:45 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\lffax60n.dll
[2007/09/27 08:57:45 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\lfcmp60n.dll
[2007/09/27 08:57:45 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\lfpng60n.dll
[2007/09/27 08:57:45 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\lftif60n.dll
[2007/09/27 08:57:45 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\lfpcx60n.dll
[2007/09/27 08:57:45 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfpct60n.dll
[2007/09/27 08:57:45 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfeps60n.dll
[2007/09/27 08:57:45 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\lfbmp60n.dll
[2007/09/27 08:57:45 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lfpsd60n.dll
[2007/09/27 08:57:45 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\lftga60n.dll
[2007/09/27 08:57:45 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwpg60n.dll
[2007/09/27 08:57:45 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwmf60n.dll
[2007/09/27 08:57:45 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\lfmsp60n.dll
[2007/09/27 08:57:45 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\lfmac60n.dll
[2007/09/26 23:38:48 | 000,003,160 | ---- | C] () -- C:\WINDOWS\AHDL41.INI
[2007/09/26 20:40:16 | 000,001,641 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/09/24 17:52:08 | 000,040,960 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/17 17:51:18 | 000,006,364 | ---- | C] () -- C:\WINDOWS\mayura.ini
[2007/09/17 12:39:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/09/17 12:39:28 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\msiosd32.dll
[2007/09/17 12:39:28 | 000,000,245 | ---- | C] () -- C:\WINDOWS\Msiosd.ini
[2007/09/16 20:14:11 | 000,000,961 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/13 22:23:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/09/13 19:44:36 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html
[2007/09/13 19:10:56 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/09/13 19:10:43 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/09/13 19:05:54 | 000,000,612 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2007/09/13 03:31:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/09/13 03:30:08 | 000,158,752 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/09/12 22:02:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/09/12 21:59:19 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/05/31 14:19:08 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/08/28 16:27:58 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/06/27 11:27:14 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2002/02/27 10:41:28 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
[2002/02/27 10:41:26 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2002/02/27 10:41:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2001/08/23 01:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 01:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 01:30:00 | 000,694,600 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 01:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 01:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 01:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 01:30:00 | 000,159,702 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 01:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 01:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 01:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1998/03/10 00:00:00 | 000,042,496 | ---- | C] () -- C:\WINDOWS\ttuninst.exe
[1996/04/03 13:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users