Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Recovery and various nasty Trojans.


  • This topic is locked This topic is locked
32 replies to this topic

#1 ningo

ningo

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 27 March 2011 - 05:29 PM

Hi

I've got a problem with my computer and it would be great if you could help me out.

Couple of days ago I had pop-up after pop-up. The major one was Windows Recovery, which hid all of my files and suggested I had a hardware failure. I couldn't do anything but close my computer (couldn't access Task Manager) and I guess it installed itself then.

Followed the instructions on bleepingcomputer.com on Windows Recovery removal. Re-installed MBAM and ran it in safe mode (with networking) and also ran Superantispyware in safe mode. When going into normal mode there were some weird pop-ups (Windows Recovery and other similar fake AV), ran Superantispyware and MBAM and they got rid of them. Superantispyware caught some nasties (various Trojans) but as my computer is acting a bit weird I am led to believe there is still something here.

I am using:
Windows Vista
Fujitsu Siemens Amilo

Weirdness in the computer:
  • Every once in a while the screen looks like it almost blinks (hard to explain, but thats what it resembles the most). The site I am on becomes inactive (paler colour) and if I am writing at the time the type won't appear on the screen. I have to click on the screen again for the type to appear on screen. This happens pretty frequently and is HIGHLY annoying.
  • I've enabled hidden files - on my desktop I see an icon for Windows Recovery (is this the virus or legitimate?)
  • When using Google on safe mode (with networking), every time I clicked on a searched topic it redirected me to random sites (like cheapflightstobeijing.com, manga.com etc. etc.). This could only be bypassed by actually typing the whole URL up there. Strangely, this does not happen on normal mode.
  • When starting my computer I get an error message that Catalyst Control Center has stopped working and is terminated by Windows.

I've ran DDS but couldn't run gmer.

When I right-click on gmer.zip I can't see Extract all -option at all. There are just Open, Open with etc options.

When double-clicking on the gmer.zip file I get this error notice

Microsoft Visual C++ Runtime Library
Runtime Error:
Program: C:\Program Files\jZip\jZip.exe
This application has requested Runtime to run it in an unusual manner.


It would be amazing if you could help me with getting rid of whatever is infecting my computer.

--------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Irina at 22:07:56,05 on su 27.03.2011
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.358.1035.18.1918.860 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\System32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\helppane.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Irina\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fi/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [JgUJevQpNnePtDM] c:\programdata\JgUJevQpNnePtDM.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [recinfo795] c:\recinfo\RecInfo.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: V&ie Microsoft Exceliin - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Vie Microsoft E&xceliin - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\irina\appdata\roaming\mozilla\firefox\profiles\b0hqollt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pointshop.fi/ep_startpage.asp?do=sp&userid=3016053&tjecksum=5440959612&email=suklaatajakahvia@gmail.com&doAutoLogin=true
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{5d393167-8b1c-4ce1-8593-0ba5f39f3210}: {5d393167-8b1c-4ce1-8593-0ba5f39f3210} - %profile%\extensions\{5d393167-8b1c-4ce1-8593-0ba5f39f3210}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
.
============= SERVICES / DRIVERS ===============
.
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-5-23 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-5-23 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-5-23 170408]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== Created Last 30 ================
.
2011-03-27 12:12:01 -------- d-----w- c:\program files\Secunia
2011-03-27 10:41:18 1283998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-25 05:00:23 331776 --sha-w- c:\users\irina\appdata\local\jik.exe
2011-03-25 00:16:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 00:16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-19 13:49:48 -------- d--h--w- c:\program files\iPod
2011-03-19 13:49:38 -------- d--h--w- c:\program files\iTunes
2011-03-13 21:53:33 -------- d--h--w- c:\users\irina\appdata\roaming\PhotoScape
2011-03-13 21:48:07 -------- d--h--w- c:\program files\PhotoScape
2011-03-12 19:19:09 -------- d--h--w- c:\program files\Bonjour
.
==================== Find3M ====================
.
.
============= FINISH: 22:11:06,31 ===============

Attached Files


Edited by ningo, 27 March 2011 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 03 April 2011 - 08:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 03 April 2011 - 06:10 PM

Hi and thanks for your reply myrti.

I've got Windows Vista, don't know if it is 32 or 64.

If needed I can get the Windows CD.

Symptoms:
1. Google results redirect to random sites
2. Occasionally internet screen goes inactive even when I am typing/scrolling (Not sure if this happens with any other applications as haven't used Word for a while)
3. Windows Catalyst Control Center stops working when turning the computer on.
4. After enabling hidden files (as Windows Recovery hid all of them) I can see Windows Recovery on the desktop.
5. Last time I ran rKill it stopped grpconv.exe and SSUPDATE.EXE
6. Google is pretty slow to return searches

OTL text:

OTL logfile created on: 3.4.2011 23:10:31 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Irina\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 0000040B | Country: Suomi | Language: FIN | Date Format: d.M.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 51,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 68,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148,10 Gb Total Space | 13,46 Gb Free Space | 9,09% Space Free | Partition Type: NTFS
Drive D: | 73,07 Gb Total Space | 23,28 Gb Free Space | 31,86% Space Free | Partition Type: NTFS

Computer Name: IRINA-PC | User Name: Irina | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.04.03 23:04:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Irina\Desktop\OTL.exe
PRC - [2011.03.19 13:49:29 | 002,423,752 | -H-- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2011.03.06 15:32:16 | 000,912,344 | -H-- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011.01.10 15:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011.01.10 15:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2009.07.27 03:10:00 | 001,983,816 | -H-- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007.05.11 03:06:38 | 000,341,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
PRC - [2007.02.22 20:50:00 | 000,144,960 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2007.02.22 20:50:00 | 000,112,216 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2007.02.22 20:50:00 | 000,054,872 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2006.12.29 10:11:00 | 004,317,184 | -H-- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006.12.19 15:06:00 | 000,086,016 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2006.12.19 11:27:54 | 000,136,768 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006.12.19 11:27:00 | 000,136,768 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2006.12.19 11:24:50 | 000,104,000 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006.12.08 18:52:04 | 000,204,800 | -H-- | M] (Fujitsu Siemens Computers) -- C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe
PRC - [2006.11.22 17:31:26 | 000,630,784 | -H-- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2006.11.02 10:44:59 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2005.09.30 20:22:50 | 000,096,341 | -H-- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe


========== Modules (SafeList) ==========

MOD - [2011.04.03 23:04:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Irina\Desktop\OTL.exe
MOD - [2006.11.02 10:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011.01.10 15:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2009.07.20 13:28:10 | 000,121,360 | -H-- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007.02.22 20:50:00 | 000,144,960 | -H-- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2007.02.22 20:50:00 | 000,054,872 | -H-- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2006.12.19 11:24:50 | 000,104,000 | -H-- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006.12.08 18:52:04 | 000,204,800 | -H-- | M] (Fujitsu Siemens Computers) [Auto | Running] -- C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe -- (TestHandler)
SRV - [2005.09.30 20:22:50 | 000,096,341 | -H-- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - [2010.09.01 09:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI)
DRV - [2010.05.10 19:41:30 | 000,067,656 | -H-- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010.02.17 19:25:48 | 000,012,872 | -H-- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009.09.05 15:25:36 | 001,183,744 | -H-- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009.06.17 17:56:16 | 000,037,392 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009.06.17 17:56:06 | 000,035,472 | -H-- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007.07.02 16:37:10 | 000,131,616 | -H-- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007.07.02 16:37:08 | 000,110,112 | -H-- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007.06.13 22:47:12 | 000,048,256 | -H-- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\jraid.sys -- (JRAID)
DRV - [2007.04.11 14:33:06 | 000,079,376 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007.04.11 14:32:38 | 000,063,248 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007.04.11 14:32:30 | 000,020,496 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007.02.22 20:50:00 | 000,170,408 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2007.02.02 15:09:42 | 002,385,920 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2007.01.15 22:28:20 | 000,070,144 | -H-- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006.11.30 08:50:00 | 000,072,264 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2006.11.30 08:50:00 | 000,064,360 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2006.11.30 08:50:00 | 000,052,136 | -H-- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2006.11.30 08:50:00 | 000,034,152 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2006.11.30 08:50:00 | 000,031,944 | -H-- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2006.11.22 17:35:00 | 000,982,272 | -H-- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.pointshop.fi/ep_startpage.asp?do=sp&userid=3016053&tjecksum=5440959612&email=suklaatajakahvia@gmail.com&doAutoLogin=true"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {a95d8332-e4b4-6e7f-98ac-20b733364387}:0.5.2
FF - prefs.js..extensions.enabledItems: {5d393167-8b1c-4ce1-8593-0ba5f39f3210}:0.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008.10.30 23:55:33 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.03.28 11:31:59 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.03.29 13:35:59 | 000,000,000 | -H-D | M]

[2008.12.08 11:12:54 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Irina\AppData\Roaming\mozilla\Extensions
[2011.04.03 21:41:14 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Irina\AppData\Roaming\mozilla\Firefox\Profiles\b0hqollt.default\extensions
[2010.06.18 09:58:55 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Irina\AppData\Roaming\mozilla\Firefox\Profiles\b0hqollt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.06.05 00:33:46 | 000,000,000 | -H-D | M] () -- C:\Users\Irina\AppData\Roaming\mozilla\Firefox\Profiles\b0hqollt.default\extensions\{5d393167-8b1c-4ce1-8593-0ba5f39f3210}
[2011.03.19 14:39:02 | 000,000,000 | -H-D | M] (LeechBlock) -- C:\Users\Irina\AppData\Roaming\mozilla\Firefox\Profiles\b0hqollt.default\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
[2011.04.03 21:41:14 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010.05.24 10:42:08 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.05.24 10:41:07 | 000,411,368 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011.03.28 11:31:50 | 000,002,062 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bookplus-fi.xml
[2011.03.28 11:31:50 | 000,001,069 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons-fi.xml
[2011.03.28 11:31:50 | 000,002,677 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\huuto-fi.xml
[2011.03.28 11:31:50 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-fi.xml
[2011.03.28 11:31:50 | 000,001,100 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-fi.xml

O1 HOSTS File: ([2008.07.02 20:46:57 | 000,244,668 | RH-- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 8541 more lines...
O2 - BHO: (Adobe PDF Reader -linkkiavustaja) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
O3 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\..\Toolbar\WebBrowser: (no name) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No CLSID value found.
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [recinfo795] c:\RecInfo\RecInfo.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000..\Run: [JgUJevQpNnePtDM] File not found
O4 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10l_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Irina\AppData\Roaming\Microsoft\Windows Photo Gallery\Windowsin valokuvavalikoiman taustakuva.jpg
O24 - Desktop BackupWallPaper: C:\Users\Irina\AppData\Roaming\Microsoft\Windows Photo Gallery\Windowsin valokuvavalikoiman taustakuva.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: klmdb.sys - Driver
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web-kansiot
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {78028BE9-3B2E-46E9-B588-BB9AEE0F4088} - .NET Framework
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Reg Error: Value error.
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011.04.03 23:05:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Irina\Desktop\OTL.exe
[2011.03.27 13:12:01 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2011.03.27 13:08:09 | 001,739,024 | ---- | C] (Secunia) -- C:\Users\Irina\Desktop\PSISetup.exe
[2011.03.26 01:27:47 | 005,459,128 | ---- | C] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Users\Irina\Desktop\SASDEFINITIONS.EXE
[2011.03.25 01:16:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.03.25 01:16:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.03.25 01:16:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.03.25 01:09:18 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Irina\Desktop\mbam-setup.exe
[2011.03.24 23:42:02 | 000,000,000 | -H-D | C] -- C:\Users\Irina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
[2011.03.19 14:52:09 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011.03.19 14:49:48 | 000,000,000 | -H-D | C] -- C:\Program Files\iPod
[2011.03.19 14:49:38 | 000,000,000 | -H-D | C] -- C:\Program Files\iTunes
[2011.03.14 09:55:06 | 000,000,000 | -H-D | C] -- C:\ProgramData\Google
[2011.03.13 22:53:33 | 000,000,000 | -H-D | C] -- C:\Users\Irina\AppData\Roaming\PhotoScape
[2011.03.13 22:50:21 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScape
[2011.03.13 22:48:07 | 000,000,000 | -H-D | C] -- C:\Program Files\PhotoScape
[2011.03.12 20:19:09 | 000,000,000 | -H-D | C] -- C:\Program Files\Bonjour
[12 C:\Users\Irina\Documents\*.tmp files -> C:\Users\Irina\Documents\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.04.03 23:04:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Irina\Desktop\OTL.exe
[2011.04.03 22:27:39 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.04.03 22:27:39 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.04.03 21:27:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.04.03 21:27:26 | 2011,283,456 | -HS- | M] () -- C:\hiberfil.sys
[2011.03.29 13:41:50 | 000,102,666 | ---- | M] () -- C:\Users\Irina\Documents\Ryanair030411.pdf
[2011.03.29 13:41:00 | 000,108,355 | ---- | M] () -- C:\Users\Irina\Documents\RyanairBoardingPass-3.pdf
[2011.03.29 13:35:59 | 000,001,893 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2011.03.29 13:35:12 | 000,102,666 | ---- | M] () -- C:\Users\Irina\Documents\Ryanair3411.pdf
[2011.03.29 13:29:47 | 000,102,491 | ---- | M] () -- C:\Users\Irina\Documents\Ryanair.pdf
[2011.03.29 13:29:14 | 000,108,191 | ---- | M] () -- C:\Users\Irina\Documents\RyanairBoardingPass30311.pdf
[2011.03.27 22:16:29 | 000,293,019 | ---- | M] () -- C:\Users\Irina\Desktop\gmer.zip
[2011.03.27 22:05:25 | 000,000,000 | ---- | M] () -- C:\Users\Irina\defogger_reenable
[2011.03.27 13:12:07 | 000,000,905 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011.03.27 13:08:08 | 001,739,024 | ---- | M] (Secunia) -- C:\Users\Irina\Desktop\PSISetup.exe
[2011.03.26 01:27:47 | 005,459,128 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Users\Irina\Desktop\SASDEFINITIONS.EXE
[2011.03.25 08:38:46 | 000,011,772 | -HS- | M] () -- C:\Users\Irina\AppData\Local\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
[2011.03.25 08:38:46 | 000,011,772 | -HS- | M] () -- C:\ProgramData\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
[2011.03.25 06:00:23 | 000,331,776 | -HS- | M] () -- C:\Users\Irina\AppData\Local\jik.exe
[2011.03.25 06:00:17 | 000,001,356 | ---- | M] () -- C:\Users\Irina\AppData\Local\d3d9caps.dat
[2011.03.25 01:16:34 | 000,000,912 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.03.25 01:09:17 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Irina\Desktop\mbam-setup.exe
[2011.03.25 01:05:23 | 001,006,778 | ---- | M] () -- C:\Users\Irina\Desktop\iExplore.exe
[2011.03.24 23:44:45 | 000,000,096 | -H-- | M] () -- C:\ProgramData\~33087264
[2011.03.24 23:44:44 | 000,000,128 | -H-- | M] () -- C:\ProgramData\~33087264r
[2011.03.24 23:42:02 | 000,000,589 | -H-- | M] () -- C:\Users\Irina\Desktop\Windows Recovery.lnk
[2011.03.19 14:52:09 | 000,001,670 | -H-- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011.03.17 10:44:04 | 000,613,046 | -H-- | M] () -- C:\Windows\System32\perfh009.dat
[2011.03.17 10:44:04 | 000,462,826 | -H-- | M] () -- C:\Windows\System32\perfh00B.dat
[2011.03.17 10:44:04 | 000,104,768 | -H-- | M] () -- C:\Windows\System32\perfc009.dat
[2011.03.17 10:44:04 | 000,085,022 | -H-- | M] () -- C:\Windows\System32\perfc00B.dat
[2011.03.14 09:17:51 | 000,001,730 | -H-- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011.03.14 09:14:08 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2011.03.13 22:50:22 | 000,000,858 | -H-- | M] () -- C:\Users\Irina\Application Data\Microsoft\Internet Explorer\Quick Launch\PhotoScape.lnk
[2011.03.13 22:50:22 | 000,000,834 | -H-- | M] () -- C:\Users\Irina\Desktop\PhotoScape.lnk
[2011.03.12 20:20:38 | 000,001,854 | -H-- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2011.03.12 20:20:38 | 000,001,854 | -H-- | M] () -- C:\Users\Irina\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[12 C:\Users\Irina\Documents\*.tmp files -> C:\Users\Irina\Documents\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.03.29 13:41:47 | 000,102,666 | ---- | C] () -- C:\Users\Irina\Documents\Ryanair030411.pdf
[2011.03.29 13:41:00 | 000,108,355 | ---- | C] () -- C:\Users\Irina\Documents\RyanairBoardingPass-3.pdf
[2011.03.29 13:35:59 | 000,001,893 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2011.03.29 13:35:59 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 8.lnk
[2011.03.29 13:35:08 | 000,102,666 | ---- | C] () -- C:\Users\Irina\Documents\Ryanair3411.pdf
[2011.03.29 13:29:14 | 000,108,191 | ---- | C] () -- C:\Users\Irina\Documents\RyanairBoardingPass30311.pdf
[2011.03.27 22:16:35 | 000,293,019 | ---- | C] () -- C:\Users\Irina\Desktop\gmer.zip
[2011.03.27 22:05:25 | 000,000,000 | ---- | C] () -- C:\Users\Irina\defogger_reenable
[2011.03.27 17:42:51 | 2011,283,456 | -HS- | C] () -- C:\hiberfil.sys
[2011.03.27 13:12:07 | 000,000,905 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011.03.27 13:12:07 | 000,000,868 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2011.03.25 06:00:23 | 000,331,776 | -HS- | C] () -- C:\Users\Irina\AppData\Local\jik.exe
[2011.03.25 06:00:23 | 000,011,772 | -HS- | C] () -- C:\Users\Irina\AppData\Local\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
[2011.03.25 06:00:23 | 000,011,772 | -HS- | C] () -- C:\ProgramData\6o1fpxf5dlxq47de5jb1600yp8m4cy5xnp3yiv
[2011.03.25 01:16:34 | 000,000,912 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.03.25 01:05:19 | 001,006,778 | ---- | C] () -- C:\Users\Irina\Desktop\iExplore.exe
[2011.03.24 23:44:44 | 000,000,128 | -H-- | C] () -- C:\ProgramData\~33087264r
[2011.03.24 23:44:44 | 000,000,096 | -H-- | C] () -- C:\ProgramData\~33087264
[2011.03.24 23:42:02 | 000,000,589 | -H-- | C] () -- C:\Users\Irina\Desktop\Windows Recovery.lnk
[2011.03.19 14:52:09 | 000,001,670 | -H-- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011.03.14 09:17:50 | 000,001,730 | -H-- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011.03.14 09:14:08 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2011.03.13 22:50:22 | 000,000,858 | -H-- | C] () -- C:\Users\Irina\Application Data\Microsoft\Internet Explorer\Quick Launch\PhotoScape.lnk
[2011.03.13 22:50:22 | 000,000,834 | -H-- | C] () -- C:\Users\Irina\Desktop\PhotoScape.lnk
[2011.02.12 09:00:30 | 000,562,333 | -H-- | C] () -- C:\Windows\hpoins21.dat.temp
[2011.02.12 09:00:29 | 000,007,262 | -H-- | C] () -- C:\Windows\hpomdl21.dat.temp
[2010.05.26 08:55:13 | 000,078,161 | -H-- | C] () -- C:\Windows\hpqins05.dat
[2010.05.23 21:52:08 | 000,000,280 | -H-- | C] () -- C:\Windows\System32\epoPGPsdk.dll.sig
[2010.05.19 00:47:52 | 000,256,512 | -H-- | C] () -- C:\Windows\PEV.exe
[2010.05.19 00:47:52 | 000,098,816 | -H-- | C] () -- C:\Windows\sed.exe
[2010.05.19 00:47:52 | 000,080,412 | -H-- | C] () -- C:\Windows\grep.exe
[2010.05.19 00:47:52 | 000,077,312 | -H-- | C] () -- C:\Windows\MBR.exe
[2010.05.19 00:47:52 | 000,068,096 | -H-- | C] () -- C:\Windows\zip.exe
[2010.05.12 02:47:08 | 000,000,930 | -H-- | C] () -- C:\Windows\lsrslt.ini
[2010.04.30 17:04:31 | 000,000,045 | RH-- | C] () -- C:\Windows\gsc_user.dat
[2009.08.03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009.08.03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009.07.06 09:37:30 | 000,000,760 | -H-- | C] () -- C:\Users\Irina\AppData\Roaming\setup_ldm.iss
[2009.04.16 03:32:22 | 000,000,088 | -H-- | C] () -- C:\Windows\wininit.ini
[2009.03.06 16:37:28 | 000,093,384 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2009.01.29 13:46:52 | 000,000,416 | -H-- | C] () -- C:\Users\Irina\AppData\Roaming\Poladroid prefs.plist
[2008.04.21 01:21:03 | 000,000,224 | -H-- | C] () -- C:\Users\Irina\AppData\Roaming\APUSet.xml
[2008.04.21 01:21:00 | 000,005,993 | -H-- | C] () -- C:\Users\Irina\AppData\Roaming\PrimoPDFSet.xml
[2008.04.21 01:19:57 | 000,176,235 | -H-- | C] () -- C:\Windows\System32\Primomonnt.dll
[2008.03.03 11:24:08 | 000,001,356 | ---- | C] () -- C:\Users\Irina\AppData\Local\d3d9caps.dat
[2008.03.01 23:51:28 | 000,000,000 | -H-- | C] () -- C:\Windows\nsreg.dat
[2008.01.20 00:04:38 | 000,000,069 | -H-- | C] () -- C:\Windows\NeroDigital.ini
[2008.01.06 19:31:22 | 000,000,390 | -H-- | C] () -- C:\Windows\ODBC.INI
[2008.01.02 16:25:36 | 000,131,072 | -H-- | C] () -- C:\Users\Irina\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007.12.29 19:56:06 | 000,000,776 | -H-- | C] () -- C:\Users\Irina\AppData\Roaming\wklnhst.dat
[2007.08.29 15:55:38 | 000,081,920 | -H-- | C] () -- C:\Windows\System32\sw2_ttls_manager.exe
[2006.11.06 23:49:36 | 000,000,310 | -H-- | C] () -- C:\Windows\primopdf.ini
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 000,305,416 | -H-- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 000,613,046 | -H-- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 000,287,440 | -H-- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,104,768 | -H-- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,030,674 | -H-- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:23:21 | 000,215,943 | -H-- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | -H-- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | -H-- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | -H-- | C] () -- C:\Windows\System32\mlang.dat
[2006.11.02 08:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006.11.02 08:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006.08.11 17:52:02 | 000,012,288 | -H-- | C] () -- C:\Windows\System32\EvOnlDiag.dll
[2003.04.01 09:58:30 | 000,005,649 | -H-- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1999.09.10 20:01:54 | 003,107,788 | -H-- | C] () -- C:\Windows\System32\atiumdva.dat
[1999.09.10 20:01:54 | 000,159,744 | -H-- | C] () -- C:\Windows\System32\atitmmxx.dll
[1999.09.10 20:01:53 | 000,128,813 | -H-- | C] () -- C:\Windows\System32\atiicdxx.dat
[1999.09.10 19:33:02 | 000,462,826 | -H-- | C] () -- C:\Windows\System32\perfh00B.dat
[1999.09.10 19:33:02 | 000,274,158 | -H-- | C] () -- C:\Windows\System32\perfi00B.dat
[1999.09.10 19:33:02 | 000,085,022 | -H-- | C] () -- C:\Windows\System32\perfc00B.dat
[1999.09.10 19:33:02 | 000,036,790 | -H-- | C] () -- C:\Windows\System32\perfd00B.dat

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008.10.29 07:20:29 | 002,923,520 | -H-- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\ERDNT\cache\explorer.exe
[2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\explorer.exe
[2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007.12.29 20:36:17 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2005.08.16 03:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Irina\AppData\Local\temp\RarSFX0\h\explorer.exe
[2007.12.29 20:36:17 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe

< MD5 for: WININIT.EXE >
[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\System32\wininit.exe
[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe

< MD5 for: WINLOGON.EXE >
[2006.11.02 10:45:57 | 000,308,224 | -H-- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\ERDNT\cache\winlogon.exe
[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\System32\winlogon.exe
[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2009.05.26 20:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Irina\AppData\Local\temp\RarSFX0\winlogon.exe

< End of report >


Extras text

OTL Extras logfile created on: 3.4.2011 23:10:31 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Irina\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 0000040B | Country: Suomi | Language: FIN | Date Format: d.M.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 51,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 68,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148,10 Gb Total Space | 13,46 Gb Free Space | 9,09% Space Free | Partition Type: NTFS
Drive D: | 73,07 Gb Total Space | 23,28 Gb Free Space | 31,86% Space Free | Partition Type: NTFS

Computer Name: IRINA-PC | User Name: Irina | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2725038491-1517790310-2373979269-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3B6F1F9E-9A19-4177-BA19-D180C1611AA3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B5878197-C7CB-4A05-AAE6-7F132E111E19}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{140678AE-13A1-413A-81F0-92B317DE1EE9}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{225B368D-36FA-41F5-B51C-107CF8607791}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{3DBC7948-4F33-4335-8D3E-8D91CA868DC4}" = protocol=17 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{43FC1363-39A6-45B2-BBD3-8F9C9D83FA51}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{44826B4E-415B-46F7-A674-8B77B8C32312}" = protocol=17 | dir=in | app=c:\program files\superantispyware\superantispyware.exe |
"{494358F9-D371-4655-838D-36B157B18DE1}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{571FB99F-0042-4556-93AC-592A66384BE2}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{575906E2-57DE-4133-84A4-B7ED707B3EEE}" = protocol=6 | dir=in | app=c:\windows\system32\spoolsv.exe |
"{5BED6969-5AEF-45D2-8140-2FA9F141A887}" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"{73145482-08B4-4249-92F3-5672302C85EB}" = protocol=6 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{7977AAFE-60AA-4E83-A7FD-CDB313178679}" = protocol=17 | dir=in | app=c:\program files\superantispyware\runsas.exe |
"{79BD70AE-D8BD-4F44-B650-766FD4ECE02F}" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"{7ADCB8D8-4F68-4490-8E9B-47BEA04CFD1B}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{834504D1-0C31-4B10-AF1C-2C271F7A5073}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{85A95F7F-1B25-4A36-8B2F-4A01276C6EC0}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{863A6CE2-CBCF-489C-809C-AD2C518066CC}" = protocol=6 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{8A759ECA-C45C-40DC-9D8C-9F867597B469}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{9EC72277-5C28-4A1C-B6B0-B87C8A6D5D10}" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"{B239E1BE-600A-4C30-990E-5867C11BDCAA}" = protocol=6 | dir=in | app=c:\program files\superantispyware\runsas.exe |
"{B3A2E261-859A-40B1-9301-621953EA0EB7}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{B935B60A-3EFD-43C5-85E7-1E962B57ECE7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{C1976C64-9EB6-4745-9AAD-E162F0999684}" = protocol=6 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{C58D60B8-4170-4038-9895-0D7D1436E4CD}" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"{D7DC33FB-8D1F-498B-8F57-BBE4908BD3C4}" = protocol=17 | dir=in | app=c:\program files\spotify\spotify.exe |
"{D8124D3A-AD37-4FDC-8845-18E50A1DD16D}" = protocol=17 | dir=in | app=c:\windows\system32\spoolsv.exe |
"{DB70C48D-6503-4BB9-9444-0E8E50E086F4}" = protocol=6 | dir=in | app=c:\program files\spotify\spotify.exe |
"{DFAD5A59-D30B-4913-AD58-235CCC17B855}" = protocol=17 | dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{E0024DC6-CA32-47D8-8FC7-0529DC070BEA}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{E531A73F-6BCF-450A-AA11-39D49C8ADA9A}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{E5B765F2-48DA-4918-BCDD-4E184A685258}" = protocol=17 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{E5FCF61E-C75C-46FE-8CB2-7845B24A8C11}" = protocol=6 | dir=in | app=c:\program files\superantispyware\superantispyware.exe |
"{EA43E815-CF34-44EA-8FC8-68AFE0A06E45}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{7AC00537-855F-478E-A331-1EC5A6CB59B5}C:\program files\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"TCP Query User{A224D2D1-416A-4854-9D59-2C0F2A83C52C}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{D833EBC3-CE63-4539-80E4-09C6FC2F5073}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"TCP Query User{F3F42255-F9AF-4948-80E7-B935CB4C9432}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{578FF176-7122-43C8-AAA9-892C5DFC4F8B}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"UDP Query User{63180496-5F3E-4279-AEEC-0FEE53EDA353}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{7BBFD639-8D88-4CBD-B69F-B761FB0EC591}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{81765C99-7F29-4F39-8234-459B3F2135CE}C:\program files\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{028741EB-70F5-BF63-EB23-480A7C48F096}" = CCC Help German
"{0343FEB6-43EA-0608-CF1F-6B4D20784AA8}" = Catalyst Control Center Localization Italian
"{03B5882D-D9DB-B950-CBE1-D03DDBFFF458}" = CCC Help Chinese Traditional
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4700_series" = Canon iP4700 series Printer Driver
"{1B3A67B0-F54D-2F98-763C-B8E309135C38}" = Catalyst Control Center Localization Swedish
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F9B00FC-AD74-A45C-3E73-83CF895E9CD0}" = Catalyst Control Center Localization Spanish
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Liven lataustyökalu
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{29F482A1-9828-5830-1F96-798E75CB90EB}" = CCC Help French
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2B541619-4920-A88A-AEB6-C4E76672B726}" = ccc-utility
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{32AFDE70-6890-478B-BC92-8F3C76B8A77B}" = Branding
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{37AF3415-B43F-FB0B-124B-4B207657DF66}" = Catalyst Control Center Localization Japanese
"{3E5D1BD1-3451-15A7-D5EB-FB4C1C713C33}" = Catalyst Control Center Localization Chinese Standard
"{3FB83D9B-35B3-44E2-639B-6839332BBB29}" = Catalyst Control Center Localization Portuguese
"{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager
"{48FD4CEC-7ED7-5220-2032-E780075764E4}" = CCC Help Japanese
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{587601F9-A917-AE27-263A-0854BE106BE9}" = Catalyst Control Center Localization German
"{625309B9-9853-B259-CA17-DA4838E2D7C6}" = Catalyst Control Center Localization Dutch
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{66E98E51-BFF9-5922-1316-7AF58170CA54}" = Catalyst Control Center Graphics Light
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{71C97813-ADFC-AA48-D24F-17E6CD41B413}" = Skins
"{74EF2D1D-D3A6-3A56-1DD7-56A338BADD29}" = CCC Help Chinese Standard
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{787AD427-7FEB-A87C-4C2E-C95610EF345B}" = Catalyst Control Center Core Implementation
"{7D9EF8C1-1B76-44AF-A918-86CBA6FD24C8}" = Microsoft Works
"{81CD6232-10F5-4832-B3DA-1B88B1571035}" = Nero 7 Essentials
"{8535028B-D4EE-B929-97A0-354013AE5D94}" = Catalyst Control Center Localization Korean
"{90120000-0020-040B-0000-0000000FF1CE}" = 2007 Office Systemin yhteensopivuuspaketti
"{90BC0F01-9D99-4686-AC14-2EEC0246FB84}" = Poladroid
"{9112040B-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9279B0F3-C831-7C50-9F07-73B1219322B6}" = Catalyst Control Center Localization Chinese Traditional
"{94D66D71-12F0-48A5-B46A-D4B835A0F1B7}" = FirstSteps Diagnostics
"{94E89EFD-5841-17EA-4F69-37A5DA58A735}" = CCC Help Spanish
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{998152E5-B605-4BBB-9853-E749AEE02B21}" = Windows Liven kirjautumisavustaja
"{9A983135-BB9F-6E62-F282-AD76BB9551FE}" = CCC Help English
"{9AE73DF3-2349-A626-AE42-7959D7583E2B}" = Catalyst Control Center Graphics Full Existing
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A603BB91-F08F-025F-4158-E897DC29D037}" = Catalyst Control Center Localization French
"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
"{AA27D595-32F0-97EB-BC94-1ED22E7444A8}" = CCC Help Portuguese
"{AA4C0345-2E31-4D99-B4E6-7351975E06F6}" = Windows Liven asennustyökalu
"{AC76BA86-7AD7-1035-7B44-A81300000003}" = Adobe Reader 8.1.3 - Suomi
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C199FC68-C95D-423D-9DE8-F2FCF88AB184}" = EViews 6 Student Version
"{C61E8F12-31F1-C2E6-DC0C-505CBF2BEE57}" = ccc-core-static
"{C73F2967-062E-48F2-A462-D335B8950183}" = Safari
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CCC67B82-CD80-9C07-4C4A-D5B9C7137399}" = CCC Help Italian
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2B49278-3321-FFBA-0F7C-127878A9CB5D}" = CCC Help Dutch
"{D723FE60-F9EC-D688-0274-7BF2FF96E80A}" = Catalyst Control Center Graphics Full New
"{E11274EB-B35F-4A35-BC5B-98823FFE7519}" = Windows Live Messenger
"{E1FA2D24-5633-83B3-3C72-FB3749DAF724}" = CCC Help Swedish
"{E369A040-E812-37B3-A5B9-311E5579FAC3}" = Microsoft .NET Framework 3.5 Language Pack SP1 - fin
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F5E23357-CDCE-0246-677C-8097DAA6F8C5}" = CCC Help Korean
"{FA2B72B1-B29E-57FB-5AFB-74734AC3442E}" = Catalyst Control Center Graphics Previews Vista
"{FEA3BE8A-67DB-4834-A2A8-D25A9D7F426D}" = Windows Live Call
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Uninstaller" = ATI Uninstaller
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon iP4700 series -käyttäjän rekisteröinti" = Canon iP4700 series -käyttäjän rekisteröinti
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CSCLIB" = Canon Camera Support Core Library
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Free PDF to Word Doc Converter_is1" = Free PDF to Word Doc Converter v1.1
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 3.5 Language Pack SP1 - fin" = Microsoft .NET Framework 3.5 SP1:n kielitukipaketti - FI
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"PhotoScape" = PhotoScape
"Picasa 3" = Picasa 3
"PrimoPDF4.0.1" = PrimoPDF
"RealPlayer 6.0" = RealPlayer
"Secunia PSI" = Secunia PSI (2.0.0.3001)
"SecureW2 TTLS Client" = SecureW2 TTLS Client 3.3.3 for Windows
"SMSERIAL" = Motorola SM56 Data Fax Modem
"Spotify" = Spotify
"WinLiveSuite_Wave3" = Windows Liven asennustyökalu
"VLC media player" = VLC media player 1.0.1

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2725038491-1517790310-2373979269-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 30.1.2010 19:08:13 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:14 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:14 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:14 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:15 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:15 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:15 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 30.1.2010 19:08:16 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 31.1.2010 13:02:04 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 31.1.2010 13:02:04 | Computer Name = Irina-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 7.6.2008 12:53:08 | Computer Name = Irina-PC | Source = Media Center Guide | ID = 0
Description = Tapahtumatiedot: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32
GetLastError returned 0D Prosessi: DefaultDomain Objektin nimi: Media Center Guide


Error - 7.6.2008 12:58:09 | Computer Name = Irina-PC | Source = Media Center Guide | ID = 0
Description = Tapahtumatiedot: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32
GetLastError returned 0D Prosessi: DefaultDomain Objektin nimi: Media Center Guide


[ System Events ]
Error - 28.3.2011 18:29:50 | Computer Name = Irina-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
7, toiminto: 0. Järjestelmän toimittaja tai tekninen tukipalvelu voi ehkä auttaa.

Error - 28.3.2011 18:29:51 | Computer Name = Irina-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
6, toiminto: 0. Järjestelmän toimittaja tai tekninen tukipalvelu voi ehkä auttaa.

Error - 28.3.2011 19:22:45 | Computer Name = Irina-PC | Source = DCOM | ID = 10010
Description =

Error - 29.3.2011 14:54:18 | Computer Name = Irina-PC | Source = disk | ID = 262151
Description = Virheellinen lohko laitteessa \Device\Harddisk0\DR0.

Error - 29.3.2011 14:54:22 | Computer Name = Irina-PC | Source = disk | ID = 262151
Description = Virheellinen lohko laitteessa \Device\Harddisk0\DR0.

Error - 29.3.2011 18:00:31 | Computer Name = Irina-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 29.3.2011 19:23:45 | Computer Name = Irina-PC | Source = DCOM | ID = 10010
Description =

Error - 3.4.2011 16:27:09 | Computer Name = Irina-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
4, toiminto: 0. Järjestelmän toimittaja tai tekninen tukipalvelu voi ehkä auttaa.

Error - 3.4.2011 16:27:09 | Computer Name = Irina-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
7, toiminto: 0. Järjestelmän toimittaja tai tekninen tukipalvelu voi ehkä auttaa.

Error - 3.4.2011 16:27:10 | Computer Name = Irina-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
6, toiminto: 0. Järjestelmän toimittaja tai tekninen tukipalvelu voi ehkä auttaa.


< End of report >


Some of the bits aren't in English as my computer has been configured to run in Finnish.

Translation:


Description = IRQARB: ACPI BIOS ei sisällä IRQ-keskeytystä laitteelle PCI-väylässä
ACPI BIOS does not include IRQ-abortion on the device in PCI-bus


Description = Virheellinen lohko laitteessa \Device\Harddisk0\DR0.
Segment with mistakes in the device



Thanks for your help!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 03 April 2011 - 06:48 PM

Hi,

please run a scan with RkU next:
Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
  • Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

For the record you have a 32bit operating system. :)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 04 April 2011 - 04:18 AM

Hi myrti and thanks! Here is the report.




RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6000
Number of processors #2
==============================================
>Drivers
==============================================
0x8B35C000 C:\Windows\system32\DRIVERS\atikmdag.sys 6963200 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82000000 C:\Windows\system32\ntkrnlpa.exe 3805184 bytes (Microsoft Corporation, NT Kernel & System)
0x82000000 PnpManager 3805184 bytes
0x82000000 RAW 3805184 bytes
0x82000000 WMIxWDM 3805184 bytes
0x94000000 Win32k 2097152 bytes
0x94000000 C:\Windows\System32\win32k.sys 2097152 bytes (Microsoft Corporation, Monikäyttäjä Win32-ohjain)
0x8C06A000 C:\Windows\system32\drivers\RTKVHDA.sys 1662976 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x8BCDB000 C:\Windows\system32\DRIVERS\athr.sys 1200128 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x81E94000 C:\Windows\System32\Drivers\Ntfs.sys 1081344 bytes (Microsoft Corporation, NT File System Driver)
0x80605000 C:\Windows\system32\drivers\ndis.sys 1064960 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8BEDC000 C:\Windows\system32\DRIVERS\smserial.sys 983040 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
0x8051F000 C:\Windows\system32\CI.dll 921600 bytes (Microsoft Corporation, Code Integrity Module)
0x9E322000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8C69A000 C:\Windows\System32\drivers\tcpip.sys 876544 bytes (Microsoft Corporation, TCP/IP Driver)
0x8B2BD000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x974F2000 C:\Windows\system32\drivers\spsys.sys 581632 bytes (Microsoft Corporation, security processor)
0x804A4000 C:\Windows\system32\drivers\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x81E2A000 C:\Windows\System32\Drivers\ksecdd.sys 434176 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x97A21000 C:\Windows\system32\drivers\HTTP.sys 430080 bytes (Microsoft Corporation, HTTP-protokollapino)
0x99855000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x807B6000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8C219000 C:\Windows\system32\drivers\afd.sys 290816 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8022A000 C:\Windows\system32\drivers\acpi.sys 274432 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8073A000 C:\Windows\system32\drivers\storport.sys 262144 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x89C09000 C:\Windows\system32\DRIVERS\USBPORT.SYS 249856 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8027A000 C:\Windows\system32\CLFS.SYS 241664 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C62A000 C:\Windows\system32\DRIVERS\rdbss.sys 241664 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x998DC000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x81F9C000 C:\Windows\system32\drivers\NETIO.SYS 233472 bytes (Microsoft Corporation, Network I/O Subsystem)
0x877CA000 C:\Windows\system32\drivers\volsnap.sys 221184 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x823A1000 ACPI_HAL 212992 bytes
0x823A1000 C:\Windows\system32\hal.dll 212992 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8BFCC000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8C00F000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x80709000 C:\Windows\system32\drivers\fltmgr.sys 200704 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9F46A000 C:\Windows\System32\Drivers\RDPWD.SYS 188416 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x8BEAF000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8AE07000 C:\Windows\system32\DRIVERS\msiscsi.sys 176128 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x81FD5000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9746C000 C:\Windows\system32\DRIVERS\nwifi.sys 176128 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8B239000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9F518000 C:\Windows\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0x8BE8A000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x877A5000 C:\Windows\System32\drivers\ecache.sys 151552 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8047F000 C:\Windows\system32\drivers\pci.sys 151552 bytes (Microsoft Corporation, NT Plug and Play PCI -luettelointi)
0x998A6000 C:\Windows\System32\DRIVERS\srv2.sys 147456 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8B283000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8C665000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x8041D000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8BE29000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x99933000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x80798000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x99915000 C:\Windows\system32\DRIVERS\mrxsmb.sys 122880 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8077A000 C:\Windows\system32\drivers\vsmraid.sys 122880 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR X86-32)
0x95115000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x97A06000 C:\Windows\System32\DRIVERS\srvnet.sys 110592 bytes (Microsoft Corporation, Server Network driver)
0x99967000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8B206000 C:\Windows\System32\drivers\fwpkclnt.sys 102400 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8043E000 C:\Windows\system32\drivers\nvraid.sys 102400 bytes (NVIDIA Corporation, NVIDIA® nForce™ RAID Driver)
0x89D59000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8C613000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Client MUP Surrogate Driver)
0x8B2A6000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9E20D000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8C203000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS-paketinajoitus)
0x89C50000 C:\Windows\system32\DRIVERS\Rtlh86.sys 86016 bytes (Realtek Corporation, Realtek 8101E/8168/8169 NDIS6 32-bit Driver)
0x8C055000 C:\Windows\system32\DRIVERS\tdx.sys 86016 bytes (Microsoft Corporation, TDI Translation Driver)
0x99953000 C:\Windows\System32\drivers\mpsdrv.sys 81920 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8C041000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x89D34000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port -ohjain)
0x8B270000 C:\Windows\system32\DRIVERS\raspptp.sys 77824 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x97459000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8C687000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x89D47000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8AE32000 C:\Windows\system32\DRIVERS\LMouKE.Sys 73728 bytes (Logitech Inc., Logitech Filter Driver for Mouse Class.)
0x998CA000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 73728 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x87794000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x80405000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x94250000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8807D000 C:\Windows\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0x80465000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x880FD000 C:\Windows\System32\Drivers\NDProxy.SYS 65536 bytes (Microsoft Corporation, NDIS Proxy)
0x881E1000 C:\Windows\system32\DRIVERS\amdk8.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8AE9C000 C:\Windows\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
0x8AED8000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x81E04000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x81E13000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8AE60000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8AE6F000 C:\Windows\system32\DRIVERS\termdd.sys 61440 bytes (Microsoft Corporation, Terminal Server Driver)
0x8020A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x94E10000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8AE52000 C:\Windows\system32\DRIVERS\L8042mou.Sys 57344 bytes (Logitech Inc., Logitech PS/2 Mouse Filter Driver.)
0x8C260000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8AE44000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80457000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x89D71000 C:\Windows\system32\DRIVERS\usbehci.sys 57344 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8BC32000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8BC0B000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modeemin laiteohjain)
0x8B263000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x89C65000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8026D000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8C340000 C:\Windows\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0x8C3B8000 C:\Windows\System32\DRIVERS\tssecsrv.sys 49152 bytes (Microsoft Corporation, TS Security Filter Driver)
0x89DF4000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8AF9D000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8AF66000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class -ohjain)
0x8AF71000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class -ohjain)
0x8AF92000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8AF87000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8AFA8000 C:\Windows\System32\drivers\tcpipreg.sys 45056 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8AF7C000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8AFD4000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x8AF5B000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80475000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x8C005000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8B22F000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9429C000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8BC01000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x94260000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x89C46000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8778B000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x89CF8000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8C7CA000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x802BD000 C:\Windows\system32\PSHED.dll 36864 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x89D01000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94E00000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x89D1C000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80221000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x80415000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x802B5000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x884C8000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x802C6000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x80219000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x88528000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x88538000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x81E22000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x89CB0000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x89C7F000 C:\Windows\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0x89CE1000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0x89CA9000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x80200000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8842A000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x88460000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x88580000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x89D83000 C:\Windows\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech Inc., Logitech PS2 Keyboard Filter Driver.)
0x80207000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x88568000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
==============================================
>Stealth
==============================================
0x8551AA9B Unknown page with executable code, 1381 bytes
0x8551D86A Unknown page with executable code, 1942 bytes
0x8551F794 Unknown page with executable code, 2156 bytes
0x8551D78B Unknown page with executable code, 2165 bytes
0x8551F62D Unknown page with executable code, 2515 bytes
0x85519288 Unknown page with executable code, 3448 bytes
0x8551B19B Unknown page with executable code, 3685 bytes
0x8551DE84 Unknown thread object [ ETHREAD 0x85503D78 ] TID: 268, 600 bytes
0x85520084 Unknown thread object [ ETHREAD 0x8561F020 ] TID: 272, 600 bytes
0x8551F15A Unknown thread object [ ETHREAD 0x856FFD78 ] , 600 bytes
0x8551DB4F Unknown thread object [ ETHREAD 0x856FFAD0 ] , 600 bytes
0x8551FD58 Unknown page with executable code, 680 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 04 April 2011 - 09:33 AM

Hi,

please run a scan wit COmboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 04 April 2011 - 12:55 PM

Hi myrti

I downloaded ComboFix. Didn't let me download it straight to desktop so I downloaded it to Downloads and then manually copied it to desktop.

Disabled Windows Firewall, and uninstalled McAfee (as it didn't let me disable it and was anyway running funny - updates kept on failing). Superantispyware and MBAM that I have are free versions so I didn't d anything with them (real-time protection on them is disabled).

Trying to run ComboFix resulted in BSOD. Tried this twice. I've attached pictures of the BSOD if that helps. Can you help me with what went wrong?

Thanks,

ningo

#8 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 04 April 2011 - 12:57 PM

Hi myrti

I downloaded ComboFix. Didn't let me download it straight to desktop so I downloaded it to Downloads and then manually copied it to desktop.

Disabled Windows Firewall, and uninstalled McAfee (as it didn't let me disable it and was anyway running funny - updates kept on failing). Superantispyware and MBAM that I have are free versions so I didn't d anything with them (real-time protection on them is disabled).

Trying to run ComboFix resulted in BSOD. Tried this twice. I've attached pictures of the BSOD if that helps. Can you help me with what went wrong?

Thanks,

ningo

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 04 April 2011 - 02:04 PM

Hi,

is the PC still booting normally if ComboFix isn't run?

If so please rename ComboFix to fun.com and try it once more. If you still get a BSOD we will try an alternate tool.


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 04 April 2011 - 04:46 PM

Hi myrti,

I changed the Combofix name to fun.com.exe. Double-clicked on it and before it had managed to even open completely my computer froze and had to unplug it to get it restarted. No BSOD though.

Should I try and rename it as fun.com [using com instead of exe]? And then re-running it? I was unsure whether I should do this as Windows warned me that the file might not be operable if I change the file-name/directory.

After uninstalling McAfee I've now installed avast. Obviously disabled it and my firewall before running ComboFix.

My computer boots normally - I only had BSOD when trying to run ComboFix the first time.

Thanks,

ningo

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 05 April 2011 - 06:30 AM

Hi,

yes, please change the file extension too, it is possible that malware is tracking everything with the extension .exe and thereby interfere with ComboFix.

regard smyrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 April 2011 - 08:34 AM

Hi myrti,

Combofix worked! Here is the log. As my computer is configured to run in Finnish some of the bits are not in English. If there are any bits you'd like to be translated just let me know.

Files on my computer are not appearing as hidden anymore. Windows Recovery icon is still on desktop (don't know if its legitimate) and I still have google redirect -issue.

---

ComboFix 11-03-30.02 - Irina 05.04.2011 14:05:53.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.358.1035.18.1918.1204 [GMT 1:00]
Sijainti: c:\users\Irina\Desktop\fun.com
.
- VÄHENNETYN TOIMINNALLISUUDEN TILA -
.
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\firststeps\FirstSteps.exe
C:\LanGpaCK
c:\langpack\Lang.txt
.
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2011-03-05 to 2011-04-05 )))))))))))))))))
.
.
2011-04-05 13:08 . 2011-04-05 13:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-04-05 13:08 . 2011-04-05 13:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-04 18:15 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-04 18:15 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-04 18:15 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-04 18:15 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-04 18:15 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-04 18:15 . 2011-02-23 13:55 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-04 18:14 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-04 18:14 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-04 18:14 . 2011-04-04 18:14 -------- d-----w- c:\programdata\AVAST Software
2011-04-04 18:14 . 2011-04-04 18:14 -------- d-----w- c:\program files\AVAST Software
2011-03-27 12:12 . 2011-03-27 12:12 -------- d-----w- c:\program files\Secunia
2011-03-27 10:41 . 2011-04-05 08:56 1283998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-03-25 05:00 . 2011-03-25 05:00 331776 --sha-w- c:\users\Irina\AppData\Local\jik.exe
2011-03-25 00:16 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 00:16 . 2011-03-25 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-19 13:49 . 2011-03-19 13:49 -------- d--h--w- c:\program files\iPod
2011-03-19 13:49 . 2011-03-19 13:52 -------- d--h--w- c:\program files\iTunes
2011-03-13 21:53 . 2011-03-27 15:15 -------- d--h--w- c:\users\Irina\AppData\Roaming\PhotoScape
2011-03-13 21:48 . 2011-03-13 21:48 -------- d--h--w- c:\program files\PhotoScape
2011-03-12 19:19 . 2011-03-12 19:19 -------- d--h--w- c:\program files\Bonjour
.
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-16 1232896]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-19 2423752]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-29 4317184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"recinfo795"="c:\recinfo\RecInfo.exe" [2007-10-23 2764800]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-1-5 813584]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725038491-1517790310-2373979269-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 nvcoafl4;nvcoafl4;c:\program files\Norman\Nvc\bin\nvcoafl4.sys [x]
R3 nvcoaft4;nvcoaft4;c:\program files\Norman\Nvc\bin\nvcoaft4.sys [x]
R3 nvcoarc4;nvcoarc4;c:\program files\Norman\Nvc\bin\nvcoarc4.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.fi/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: V&ie Microsoft Exceliin - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Irina\AppData\Roaming\Mozilla\Firefox\Profiles\b0hqollt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pointshop.fi/ep_startpage.asp?do=sp&userid=3016053&tjecksum=5440959612&email=suklaatajakahvia@gmail.com&doAutoLogin=true
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{5d393167-8b1c-4ce1-8593-0ba5f39f3210}: {5d393167-8b1c-4ce1-8593-0ba5f39f3210} - %profile%\extensions\{5d393167-8b1c-4ce1-8593-0ba5f39f3210}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
.
- - - - POISTETUT JÄMÄRIVIT - - - -
.
HKCU-Run-JgUJevQpNnePtDM - c:\programdata\JgUJevQpNnePtDM.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 14:10
Windows 6.0.6000 NTFS
.
tarkistaa piilotettuja prosesseja ...
.
tarkistaa piilotettuja käynnistysarvoja ...
.
tarkistaa piilotettuja tiedostoja ...
.
tarkistus on valmis
piilotetut tiedostot: 0
.
**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Valmistumisajankohta: 2011-04-05 14:16:23
ComboFix-quarantined-files.txt 2011-04-05 13:16
.
Ennen ajoa: 14 401 191 936 tavua vapaana
Ajon jälkeen: 15 542 755 328 tavua vapaana
.
- - End Of File - - 6D3CB0F51F497548C4CAAB4F1536DBAE

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 05 April 2011 - 08:40 AM

Hi,

I am guessing this means "reduced functionality mode": - VÄHENNETYN TOIMINNALLISUUDEN TILA -?

If so please upload a new version of ComboFix and run another scan with it. Your version is too old.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 April 2011 - 11:04 AM

Hi myrti,

You are right about the translation.

The version I used the last time was from link 1 you provided. This is from link 2. I hope it is the right version.

I've still got the same issues with Windows Recovery icon and google redirect.

Thanks for your help btw so far! Don't know what would I do without it!



---

ComboFix 11-04-04.04 - Irina 05.04.2011 16:26:20.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.358.1035.18.1918.1181 [GMT 1:00]
Sijainti: c:\users\Irina\Desktop\fun.com
.
.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2011-03-05 to 2011-04-05 )))))))))))))))))
.
.
2011-04-05 15:34 . 2011-04-05 15:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-04-05 15:34 . 2011-04-05 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-05 13:00 . 2011-04-05 13:22 -------- d-----w- C:\fun
2011-04-04 18:15 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-04 18:15 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-04 18:15 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-04 18:15 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-04 18:15 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-04 18:15 . 2011-02-23 13:55 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-04 18:14 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-04 18:14 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-04 18:14 . 2011-04-04 18:14 -------- d-----w- c:\programdata\AVAST Software
2011-04-04 18:14 . 2011-04-04 18:14 -------- d-----w- c:\program files\AVAST Software
2011-03-27 12:12 . 2011-03-27 12:12 -------- d-----w- c:\program files\Secunia
2011-03-25 05:00 . 2011-03-25 05:00 331776 --sha-w- c:\users\Irina\AppData\Local\jik.exe
2011-03-25 00:16 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-25 00:16 . 2011-03-25 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-19 13:49 . 2011-03-19 13:49 -------- d-----w- c:\program files\iPod
2011-03-19 13:49 . 2011-03-19 13:52 -------- d-----w- c:\program files\iTunes
2011-03-13 21:53 . 2011-03-27 15:15 -------- d-----w- c:\users\Irina\AppData\Roaming\PhotoScape
2011-03-13 21:48 . 2011-03-13 21:48 -------- d-----w- c:\program files\PhotoScape
2011-03-12 19:19 . 2011-03-12 19:19 -------- d-----w- c:\program files\Bonjour
.
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-16 1232896]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-19 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-29 4317184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"recinfo795"="c:\recinfo\RecInfo.exe" [2007-10-23 2764800]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-1-5 813584]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2725038491-1517790310-2373979269-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 nvcoafl4;nvcoafl4;c:\program files\Norman\Nvc\bin\nvcoafl4.sys [x]
R3 nvcoaft4;nvcoaft4;c:\program files\Norman\Nvc\bin\nvcoaft4.sys [x]
R3 nvcoarc4;nvcoarc4;c:\program files\Norman\Nvc\bin\nvcoarc4.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.fi/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: V&ie Microsoft Exceliin - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Irina\AppData\Roaming\Mozilla\Firefox\Profiles\b0hqollt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pointshop.fi/ep_startpage.asp?do=sp&userid=3016053&tjecksum=5440959612&email=suklaatajakahvia@gmail.com&doAutoLogin=true
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{5d393167-8b1c-4ce1-8593-0ba5f39f3210}: {5d393167-8b1c-4ce1-8593-0ba5f39f3210} - %profile%\extensions\{5d393167-8b1c-4ce1-8593-0ba5f39f3210}
FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 16:35
Windows 6.0.6000 NTFS
.
tarkistaa piilotettuja prosesseja ...
.
tarkistaa piilotettuja käynnistysarvoja ...
.
tarkistaa piilotettuja tiedostoja ...
.
tarkistus on valmis
piilotetut tiedostot: 0
.
**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- Prosesseihin ladatut DLLt ---------------------
.
- - - - - - - > 'Explorer.exe'(4948)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Valmistumisajankohta: 2011-04-05 16:39:03
ComboFix-quarantined-files.txt 2011-04-05 15:39
ComboFix2.txt 2011-04-05 13:16
.
Ennen ajoa: 16 647 700 480 tavua vapaana
Ajon jälkeen: 16 611 213 312 tavua vapaana
.
- - End Of File - - 171416C4B967A9CD7C0493636DA639F5

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:47 PM

Posted 05 April 2011 - 12:18 PM

Hi,

thanks for letting me know, apparently the link wasn't updated recently. Usually combofix will prompt by itself for updates if they are available.

How is the PC?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users