Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS


  • This topic is locked This topic is locked
12 replies to this topic

#1 prolex

prolex

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 24 November 2011 - 08:26 AM

Hello,
4 days ago I became infected with the System Fix malware, and the TDSS rootkit.I removed System Fix using RKill and Malwarebytes,but I was unable to run TDSSkiller (tried renaming the file).
IEXPLORE.exe process keeps coming up on my task manager,even after I end the process.


I ran DSS but the program closes on his own when the scan is almost done.
GMER reports an error on startup

LoadDriver("C:\WINDOWS\TEMP\pxtdrpod.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

GMER then starts but only displays a few available checkboxes:Services,Registry,Files.






GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-24 15:20:21
Windows 5.1.2600 Service Pack 2
Running: qwfvnk9w.exe; Driver: C:\WINDOWS\TEMP\pxtdrpod.sys


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F57188C1-1C94-DF1B-9ADD-A67C5E3293C8}

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   361bytes   2 downloads

Edited by prolex, 24 November 2011 - 12:54 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 24 November 2011 - 08:39 PM

Hi

Please run the following:

Please download GetPartitions from the link bellow.

You must right click on the link and choose Save as....

Save it as GetPartitions.bat on your desktop

getpartitions.bat

Double click it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator").

It will produce a log on your C:\ drive C:\DiskReport.txt

please navigate to that file and post the contents of the log in your next reply



NEXT


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 prolex

prolex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 25 November 2011 - 08:28 AM

GetPartitions:


Microsoft DiskPart version 5.1.3565

Copyright © 1999-2003 Microsoft Corporation.
On computer: ALEX

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C NTFS Partition 12 GB Healthy System
Volume 1 D NTFS Partition 33 GB Healthy
Volume 2 E NTFS Partition 32 GB Healthy




OTL logfile created on: 25.11.2011 15:01:00 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

511,23 Mb Total Physical Memory | 350,51 Mb Available Physical Memory | 68,56% Memory free
1,97 Gb Paging File | 1,64 Gb Available in Paging File | 83,35% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12,00 Gb Total Space | 2,18 Gb Free Space | 18,15% Space Free | Partition Type: NTFS
Drive D: | 32,53 Gb Total Space | 31,18 Gb Free Space | 95,83% Space Free | Partition Type: NTFS
Drive E: | 32,15 Gb Total Space | 15,82 Gb Free Space | 49,21% Space Free | Partition Type: NTFS

Computer Name: ALEX | User Name: alex | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.11.25 14:54:52 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe
PRC - [2011.10.20 12:58:42 | 002,497,352 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2011.10.07 18:47:14 | 001,883,328 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2011.08.31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011.05.26 05:43:20 | 000,154,424 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
PRC - [2008.11.09 22:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007.05.25 11:41:53 | 000,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddserv.exe
PRC - [2007.05.25 11:41:37 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe
PRC - [2004.12.14 03:44:30 | 000,065,536 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PRC - [2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002.09.20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2007.02.27 06:16:25 | 000,103,936 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdddrpp.dll
MOD - [2007.02.22 01:14:15 | 000,012,288 | ---- | M] () -- C:\WINDOWS\system32\LXF3PMRC.DLL
MOD - [2007.02.22 01:11:50 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\LXF3PMON.DLL
MOD - [2007.02.22 01:08:56 | 000,032,768 | ---- | M] () -- C:\Program Files\Lexmark Fax Solutions\ipcmt.dll
MOD - [2006.11.07 12:02:18 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\lxf3oem.dll
MOD - [2006.10.22 12:22:00 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\nvapi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PnkBstrA)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011.10.07 18:47:14 | 001,883,328 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.05.26 05:43:20 | 000,154,424 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe -- (CLPSLS)
SRV - [2008.11.09 22:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007.05.25 11:41:53 | 000,099,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService)
SRV - [2007.05.25 11:41:37 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device)
SRV - [2002.09.20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011.11.21 20:21:54 | 000,053,248 | ---- | M] (Esage Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rk_remover.sys -- (rk_remover-boot)
DRV - [2011.10.07 18:48:04 | 000,097,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2011.10.07 18:48:02 | 000,492,768 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2011.10.07 18:48:02 | 000,031,704 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011.03.18 18:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2010.12.31 14:40:03 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010.11.26 17:02:52 | 000,014,776 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010.11.03 23:00:00 | 000,002,304 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\HtsysmNT.sys -- (Htsysm)
DRV - [2010.09.22 21:19:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2009.03.18 16:35:40 | 000,026,176 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2003.09.19 15:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [1996.04.03 21:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html


IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-515967899-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledItems: yespopupsV1@patheticcockroach.com:0.9.8b
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@ogplanet.com/npOGPPlugin: C:\WINDOWS\system32\npOGPPlugin.dll (OGPlanet)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=7: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.29\npGoogleOneClick8.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\alex\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\alex\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.09 18:09:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.10.26 13:19:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.09 18:09:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.10.26 13:19:57 | 000,000,000 | ---D | M]

[2008.09.20 17:01:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\alex\Application Data\Mozilla\Extensions
[2011.10.25 14:12:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\extensions
[2011.08.19 07:24:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.10.25 14:12:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011.02.02 21:20:00 | 000,000,000 | ---D | M] (Yes popups) -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\extensions\yespopupsV1@patheticcockroach.com
[2011.03.21 13:52:38 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\searchplugins\conduit.xml
[2008.09.20 17:09:23 | 000,000,523 | ---- | M] () -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\searchplugins\daemon-search.xml
[2010.01.17 17:07:42 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\searchplugins\web-search.xml
[2011.11.09 18:10:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.04.20 18:17:20 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011.11.09 18:09:49 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010.08.24 11:31:30 | 000,773,120 | ---- | M] (BitComet) -- C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll
[2011.04.20 18:17:19 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009.10.06 11:40:40 | 000,098,304 | ---- | M] (OGPlanet Inc.) -- C:\Program Files\mozilla firefox\plugins\npOGPPlugin.dll
[2011.07.11 23:48:12 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010.11.30 14:35:21 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011.10.05 08:48:04 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.11.09 18:09:49 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Yahoo! (Enabled)
CHR - default_search_provider: search_url = http://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}
CHR - default_search_provider: suggest_url = http://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\alex\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft Office 2003 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\alex\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\alex\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: BitCometAgent (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
CHR - plugin: OGPlanet Game Launcher Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npOGPPlugin.dll
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\alex\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: OGPlanet Game Plugin (Enabled) = C:\WINDOWS\system32\npOGPPlugin.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011.11.21 13:42:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools: = 0
O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools\ShowInfoTip: = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://www.texkitty.com:81/activex/AMC.cab (AxisMediaControlEmb Class)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/da2/PCPitStop2.cab (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7517E597-E7E0-4CC4-BD8E-8A16F230D64B}: NameServer = 8.26.56.26 156.154.70.22
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) -C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: LanmanWorkstation - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011.11.25 14:54:53 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe
[2011.11.24 20:13:57 | 000,000,000 | ---D | C] -- C:\logs
[2011.11.24 17:32:19 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\alex\Desktop\123abc.com
[2011.11.23 17:52:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011.11.22 16:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011.11.22 16:00:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temp
[2011.11.22 16:00:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011.11.21 20:24:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\COMODO
[2011.11.21 20:21:54 | 000,053,248 | ---- | C] (Esage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2011.11.21 20:17:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo
[2011.11.21 20:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\COMODO
[2011.11.21 20:17:39 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2011.11.21 20:17:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2011.11.21 19:56:48 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011.11.21 19:56:45 | 000,065,808 | ---- | C] (trend_company_name) -- C:\WINDOWS\System32\drivers\tmrkb.sys
[2011.11.21 19:20:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011.11.21 18:53:08 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011.11.21 18:14:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\Start Menu\Programs\Google Chrome
[2011.11.21 17:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011.11.21 17:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011.11.21 16:57:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\Local Settings\Application Data\Threat Expert
[2011.11.21 16:53:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\Local Settings\Application Data\Google
[2011.11.21 16:45:52 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2011.11.21 16:44:11 | 000,185,560 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTSD.sys
[2011.11.21 16:44:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011.11.21 16:43:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011.11.21 16:43:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\Application Data\TestApp
[2011.11.21 16:29:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011.11.21 16:10:15 | 000,071,880 | ---- | C] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-111328
[2011.11.21 16:10:13 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx
[2011.11.21 16:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2011.11.21 15:59:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\My Documents\RegRun2
[2011.11.21 15:59:38 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2011.11.21 14:48:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011.11.21 14:48:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011.11.21 14:24:13 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011.11.21 14:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011.11.21 14:05:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011.11.21 14:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\My Documents\Simply Super Software
[2011.11.20 21:49:41 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011.11.20 20:13:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011.11.20 20:06:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011.11.20 19:54:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2011.11.20 19:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011.11.20 19:51:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\alex\Application Data\IObit
[2011.11.20 19:28:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\alex\Recent
[2011.11.05 10:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Perfect World Entertainment
[2008.09.20 17:12:06 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll
[2008.09.20 17:12:05 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll
[2008.09.20 17:12:05 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll
[2008.09.20 17:12:05 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll
[2008.09.20 17:12:05 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll
[2008.09.20 17:12:04 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll
[2008.09.20 17:12:04 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll
[2008.09.20 17:12:04 | 000,385,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddih.exe
[2008.09.20 17:12:04 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll
[2008.09.20 17:12:04 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll
[2008.09.20 17:12:03 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll
[2008.09.20 17:12:03 | 000,537,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcoms.exe
[2008.09.20 17:12:03 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll
[2008.09.20 17:12:02 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll
[2008.09.20 17:12:02 | 000,394,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcfg.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.11.25 15:00:55 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2011.11.25 14:54:52 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\alex\Desktop\OTL.exe
[2011.11.25 14:51:01 | 000,001,086 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011.11.25 14:50:21 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011.11.25 14:50:15 | 000,001,082 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011.11.25 14:50:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.11.24 21:16:01 | 000,001,184 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003UA.job
[2011.11.24 18:16:02 | 000,001,132 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003Core.job
[2011.11.24 17:32:17 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\alex\Desktop\123abc.com
[2011.11.24 15:00:56 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\qwfvnk9w.exe
[2011.11.24 14:55:50 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Defogger.exe
[2011.11.23 16:53:01 | 000,388,914 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011.11.23 16:53:01 | 000,057,208 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011.11.22 18:55:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011.11.22 17:05:38 | 000,000,636 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011.11.21 20:32:44 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Firewall.lnk
[2011.11.21 20:27:09 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011.11.21 20:21:54 | 000,053,248 | ---- | M] (Esage Lab) -- C:\WINDOWS\System32\drivers\rk_remover.sys
[2011.11.21 20:17:46 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\alex\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2011.11.21 20:17:46 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO GeekBuddy.lnk
[2011.11.21 19:56:45 | 000,065,808 | ---- | M] (trend_company_name) -- C:\WINDOWS\System32\drivers\tmrkb.sys
[2011.11.21 19:56:39 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011.11.21 19:37:07 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Shortcut to firefox.lnk
[2011.11.21 19:13:06 | 000,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.11.21 18:21:13 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011.11.21 18:15:27 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\alex\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011.11.21 18:15:26 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Google Chrome.lnk
[2011.11.21 16:44:38 | 001,023,106 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011.11.21 16:10:15 | 000,071,880 | ---- | M] (Prevx) -- C:\WINDOWS\System32\PxSecure.dll-111328
[2011.11.21 16:10:14 | 000,076,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011.11.21 15:59:51 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011.11.21 15:59:51 | 000,001,792 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2011.11.21 15:59:51 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2011.11.21 14:24:14 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011.11.21 13:42:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011.11.20 21:36:18 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\alex\defogger_reenable
[2011.11.20 19:50:49 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.11.20 19:22:29 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Internet.lnk
[2011.11.20 19:08:27 | 000,000,538 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Rds&Rcs.lnk
[2011.11.20 19:07:27 | 000,000,812 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Shortcut to YahooMessenger.lnk
[2011.11.20 18:48:18 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\Shortcut to mbam.lnk
[2011.11.13 18:44:10 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\alex\Desktop\SpeedFan.lnk
[2011.11.13 18:44:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\System32\initdebug.nfo
[2011.10.28 11:02:54 | 000,185,560 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTSD.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.11.24 15:00:58 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\qwfvnk9w.exe
[2011.11.24 14:55:53 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Defogger.exe
[2011.11.21 20:32:44 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Firewall.lnk
[2011.11.21 20:17:46 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\alex\Application Data\Microsoft\Internet Explorer\Quick Launch\COMODO GeekBuddy.lnk
[2011.11.21 20:17:46 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO GeekBuddy.lnk
[2011.11.21 19:37:07 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Shortcut to firefox.lnk
[2011.11.21 18:21:13 | 000,000,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011.11.21 18:15:27 | 000,002,255 | ---- | C] () -- C:\Documents and Settings\alex\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011.11.21 18:15:26 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Google Chrome.lnk
[2011.11.21 18:11:22 | 000,001,184 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003UA.job
[2011.11.21 18:11:20 | 000,001,132 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003Core.job
[2011.11.21 16:44:28 | 001,023,106 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011.11.21 16:10:14 | 000,076,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011.11.21 16:10:05 | 000,000,636 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011.11.21 15:59:51 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2011.11.21 14:24:14 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011.11.20 21:36:01 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\alex\defogger_reenable
[2011.11.20 20:13:27 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011.11.20 20:13:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011.11.20 19:22:29 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Internet.lnk
[2011.11.20 19:08:27 | 000,000,538 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Rds&Rcs.lnk
[2011.11.20 19:07:27 | 000,000,812 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Shortcut to YahooMessenger.lnk
[2011.11.20 18:48:18 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\alex\Desktop\Shortcut to mbam.lnk
[2011.10.14 08:43:07 | 000,000,211 | ---- | C] () -- C:\WINDOWS\RomeTW.ini
[2011.07.15 16:05:48 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\HtsysmNT.sys
[2011.07.07 11:01:51 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2011.06.19 17:16:50 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2011.06.19 17:16:50 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2011.05.05 18:33:17 | 000,025,944 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011.05.05 18:33:09 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2011.04.07 16:28:26 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\swp_CTasw.ini
[2011.01.29 09:45:25 | 000,000,982 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2010.12.19 13:51:31 | 000,161,136 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010.11.15 16:30:04 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010.10.13 16:07:51 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2010.10.13 16:07:51 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2010.09.15 16:02:54 | 000,012,920 | ---- | C] () -- C:\WINDOWS\System32\apl001.sys
[2010.09.15 16:02:47 | 000,010,872 | ---- | C] () -- C:\WINDOWS\System32\apf001.sys
[2010.08.17 11:05:51 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2010.08.09 19:36:53 | 000,000,020 | ---- | C] () -- C:\WINDOWS\GKLauncherInfo.ini
[2010.05.16 09:24:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010.02.20 13:28:28 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009.01.29 13:35:29 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.01.29 13:35:29 | 000,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2009.01.25 20:46:00 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008.12.08 07:13:32 | 000,000,144 | ---- | C] () -- C:\WINDOWS\TDW.INI
[2008.09.28 19:05:33 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll
[2008.09.28 19:05:30 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll
[2008.09.28 19:04:41 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll
[2008.09.28 19:04:41 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll
[2008.09.28 19:04:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll
[2008.09.28 19:03:29 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
[2008.09.28 19:03:29 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
[2008.09.28 19:03:09 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
[2008.09.28 19:03:09 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
[2008.09.28 18:54:31 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini
[2008.09.23 15:34:35 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.09.21 10:10:20 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2008.09.21 10:10:20 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2008.09.21 10:10:20 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2008.09.21 10:10:20 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2008.09.21 10:10:20 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2008.09.21 10:10:20 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2008.09.21 10:10:20 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2008.09.21 10:10:20 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2008.09.21 10:10:20 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2008.09.21 10:10:20 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2008.09.21 10:10:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2008.09.21 10:10:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2008.09.21 10:10:20 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2008.09.21 10:10:20 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2008.09.21 10:10:20 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2008.09.21 10:10:20 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2008.09.21 10:10:20 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2008.09.21 10:10:20 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2008.09.21 10:10:20 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008.09.20 18:59:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008.09.20 18:56:54 | 000,270,984 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008.09.20 17:12:06 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll
[2008.09.20 17:12:03 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll
[2008.09.20 17:01:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008.09.20 16:22:36 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2008.09.20 16:20:12 | 000,004,328 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008.09.20 16:20:11 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008.09.20 16:17:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008.09.20 16:11:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008.09.16 02:14:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006.10.22 12:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006.10.22 12:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006.10.22 12:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006.10.22 12:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006.10.22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006.10.22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006.10.22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006.10.22 12:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006.10.22 12:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006.10.22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006.10.22 12:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004.08.04 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004.08.04 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004.08.04 14:00:00 | 000,388,914 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004.08.04 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004.08.04 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004.08.04 14:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004.08.04 14:00:00 | 000,057,208 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004.08.04 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004.08.04 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004.08.04 14:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004.08.04 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004.08.04 14:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004.08.04 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003.01.07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996.04.03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2011.10.26 13:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\BitComet
[2011.10.14 08:59:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\DAEMON Tools Lite
[2011.04.14 15:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\DAEMON Tools Pro
[2011.11.21 19:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\IObit
[2008.09.28 19:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Lexmark Productivity Studio
[2008.09.21 10:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\Panasonic
[2011.03.01 17:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\SmartDraw
[2010.02.01 14:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\SystemRequirementsLab
[2010.03.19 19:04:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\TeamViewer
[2011.11.21 16:43:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\alex\Application Data\TestApp
[2011.09.21 15:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010.12.31 14:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011.04.14 15:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2008.09.20 17:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2011.09.11 16:37:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driver Tool
[2011.11.21 14:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011.11.21 19:20:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011.11.20 19:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011.11.21 16:22:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2011.11.21 18:23:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011.11.23 16:23:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010.04.21 18:18:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2011.11.25 15:00:55 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag_Startup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\explorer.exe
[2004.08.04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2004.08.04 14:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2004.08.04 14:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\svchost.exe
[2004.08.04 14:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2004.08.04 14:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004.08.04 14:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2004.08.04 14:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\userinit.exe
[2004.08.04 14:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004.08.04 14:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004.08.04 14:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2004.08.04 14:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\winlogon.exe
[2004.08.04 14:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2004.08.04 14:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe

< CREATERESTOREPOIN >

========== Alternate Data Streams ==========

@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >






OTL Extras logfile created on: 25.11.2011 15:01:00 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\alex\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000418 | Country: Romania | Language: ROM | Date Format: dd.MM.yyyy

511,23 Mb Total Physical Memory | 350,51 Mb Available Physical Memory | 68,56% Memory free
1,97 Gb Paging File | 1,64 Gb Available in Paging File | 83,35% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12,00 Gb Total Space | 2,18 Gb Free Space | 18,15% Space Free | Partition Type: NTFS
Drive D: | 32,53 Gb Total Space | 31,18 Gb Free Space | 95,83% Space Free | Partition Type: NTFS
Drive E: | 32,15 Gb Total Space | 15,82 Gb Free Space | 49,21% Space Free | Partition Type: NTFS

Computer Name: ALEX | User Name: alex | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"58040:TCP" = 58040:TCP:*:Enabled:Pando Media Booster
"58040:UDP" = 58040:UDP:*:Enabled:Pando Media Booster
"58491:TCP" = 58491:TCP:*:Enabled:Pando Media Booster
"58491:UDP" = 58491:UDP:*:Enabled:Pando Media Booster
"57333:TCP" = 57333:TCP:*:Enabled:Pando Media Booster
"57333:UDP" = 57333:UDP:*:Enabled:Pando Media Booster
"57685:TCP" = 57685:TCP:*:Enabled:Pando Media Booster
"57685:UDP" = 57685:UDP:*:Enabled:Pando Media Booster
"57853:TCP" = 57853:TCP:*:Enabled:Pando Media Booster
"57853:UDP" = 57853:UDP:*:Enabled:Pando Media Booster
"56760:TCP" = 56760:TCP:*:Enabled:Pando Media Booster
"56760:UDP" = 56760:UDP:*:Enabled:Pando Media Booster
"56377:TCP" = 56377:TCP:*:Enabled:Pando Media Booster
"56377:UDP" = 56377:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"16694:TCP" = 16694:TCP:*:Enabled:BitComet 16694 TCP
"16694:UDP" = 16694:UDP:*:Enabled:BitComet 16694 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"58040:TCP" = 58040:TCP:*:Enabled:Pando Media Booster
"58040:UDP" = 58040:UDP:*:Enabled:Pando Media Booster
"58491:TCP" = 58491:TCP:*:Enabled:Pando Media Booster
"58491:UDP" = 58491:UDP:*:Enabled:Pando Media Booster
"8394:TCP" = 8394:TCP:*:Enabled:League of Legends Launcher
"8394:UDP" = 8394:UDP:*:Enabled:League of Legends Launcher
"8393:TCP" = 8393:TCP:*:Enabled:League of Legends Lobby
"8393:UDP" = 8393:UDP:*:Enabled:League of Legends Lobby
"8390:TCP" = 8390:TCP:*:Enabled:League of Legends Game Client
"8390:UDP" = 8390:UDP:*:Enabled:League of Legends Game Client
"6892:TCP" = 6892:TCP:*:Enabled:League of Legends Launcher
"6892:UDP" = 6892:UDP:*:Enabled:League of Legends Launcher
"6881:TCP" = 6881:TCP:*:Enabled:League of Legends Launcher
"6881:UDP" = 6881:UDP:*:Enabled:League of Legends Launcher
"6906:TCP" = 6906:TCP:*:Enabled:League of Legends Launcher
"6906:UDP" = 6906:UDP:*:Enabled:League of Legends Launcher
"57333:TCP" = 57333:TCP:*:Enabled:Pando Media Booster
"57333:UDP" = 57333:UDP:*:Enabled:Pando Media Booster
"8396:TCP" = 8396:TCP:*:Enabled:League of Legends Launcher
"8396:UDP" = 8396:UDP:*:Enabled:League of Legends Launcher
"6905:TCP" = 6905:TCP:*:Enabled:League of Legends Launcher
"6905:UDP" = 6905:UDP:*:Enabled:League of Legends Launcher
"57685:TCP" = 57685:TCP:*:Enabled:Pando Media Booster
"57685:UDP" = 57685:UDP:*:Enabled:Pando Media Booster
"57853:TCP" = 57853:TCP:*:Enabled:Pando Media Booster
"57853:UDP" = 57853:UDP:*:Enabled:Pando Media Booster
"27221:TCP" = 27221:TCP:*:Enabled:BitComet 27221 TCP
"27221:UDP" = 27221:UDP:*:Enabled:BitComet 27221 UDP
"56760:TCP" = 56760:TCP:*:Enabled:Pando Media Booster
"56760:UDP" = 56760:UDP:*:Enabled:Pando Media Booster
"56377:TCP" = 56377:TCP:*:Enabled:Pando Media Booster
"56377:UDP" = 56377:UDP:*:Enabled:Pando Media Booster
"1080:TCP" = 1080:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Lexmark 2500 Series\app4r.exe" = C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application -- ()
"C:\Program Files\NCsoft\Exteel (US)\System\Exteel.exe" = C:\Program Files\NCsoft\Exteel (US)\System\Exteel.exe:*:Enabled:Exteel
"E:\exteel\System\Exteel.exe" = E:\exteel\System\Exteel.exe:*:Enabled:Exteel
"D:\de pe net\Conquer_v5287_P2P.exe" = D:\de pe net\Conquer_v5287_P2P.exe:*:Enabled:Conquer_v5287_P2P.exe
"D:\de pe net\Conquer_P2P_20100921.exe" = D:\de pe net\Conquer_P2P_20100921.exe:*:Enabled:Conquer_P2P_20100921.exe
"D:\de pe net\ZeroEN_2939_client_p2p.exe" = D:\de pe net\ZeroEN_2939_client_p2p.exe:*:Enabled:ZeroEN_2939_client_p2p.exe
"D:\de pe net\Conquer_P2P_20101230.exe" = D:\de pe net\Conquer_P2P_20101230.exe:*:Enabled:Conquer_P2P_20101230.exe
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\WINDOWS\system32\lxddcoms.exe" = C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System -- ( )
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe" = C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor -- ()
"C:\Program Files\Lexmark 2500 Series\App4R.exe" = C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio -- ()
"E:\hlds\hlds.exe" = E:\hlds\hlds.exe:*:Enabled:HLDS Launcher -- (Valve)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\system32\dxdiag.exe" = C:\WINDOWS\system32\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\Documents and Settings\alex\temp\TeamViewer\Version5\TeamViewer.exe" = C:\Documents and Settings\alex\temp\TeamViewer\Version5\TeamViewer.exe:*:Enabled:TeamViewer -- (TeamViewer GmbH)
"D:\cs\hl.exe" = D:\cs\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"D:\cs\hlds.exe" = D:\cs\hlds.exe:*:Enabled:HLDS Launcher -- (Valve)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: -- (Lexmark International, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe" = C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EAB2511-0135-48CA-A47B-CE1E6836793A}" = COMODO Internet Security
"{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{78B51FD5-DA3F-4B48-8F3F-4E4068F25D89}_is1" = Conquer Online 2.0
"{7EE9145D-C430-44E6-B5ED-61FF9C332101}_is1" = War of the Immortals
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A9DBEBC-C800-4776-A970-D76D6AA405B1}" = PHOTOfunSTUDIO -viewer-
"{9ABFB92D-93DA-49EE-8ABF-F8195DE45CA9}" = Counter-Strike 1.6
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{BF5EE349-90CD-4422-A43B-661778180173}" = USB Disk Win98 Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC67641A-05C4-4FED-A462-1EB1DC6CF2F5}" = ArcSoft Software Suite
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"AC3Filter_is1" = AC3Filter 1.63b
"AXIS Media Control Embedded" = AXIS Media Control Embedded
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"CCleaner" = CCleaner
"Cheat Engine 6.1_is1" = Cheat Engine 6.1
"COMODO GeekBuddy" = COMODO GeekBuddy
"DivX Setup.divx.com" = DivX Setup
"DriverAgent.exe" = DriverAgent by eSupport.com
"InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War™
"Lexmark 2500 Series" = Lexmark 2500 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MinGW Developer Studio" = MinGW Developer Studio
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"NVIDIA Drivers" = NVIDIA Drivers
"OJI" = Pachet OJI
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"Smart Defrag 2_is1" = Smart Defrag 2
"SpeedFan" = SpeedFan (remove only)
"SystemRequirementsLab" = System Requirements Lab
"Uninstall_is1" = Uninstall 1.0.0.1
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Winamp Toolbar for Firefox" = Winamp Toolbar for Firefox
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Google Chrome" = Google Chrome
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20.11.2011 15:26:25 | Computer Name = ALEX | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070424: InitEventCollector fail

Error - 20.11.2011 15:26:55 | Computer Name = ALEX | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80080005].

Error - 20.11.2011 15:28:51 | Computer Name = ALEX | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070424: InitEventCollector fail

Error - 20.11.2011 15:35:24 | Computer Name = ALEX | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 80070424: InitEventCollector fail

Error - 20.11.2011 15:35:25 | Computer Name = ALEX | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80080005].

Error - 20.11.2011 16:01:44 | Computer Name = ALEX | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 20.11.2011 16:01:55 | Computer Name = ALEX | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 21.11.2011 13:14:40 | Computer Name = ALEX | Source = pctsSvc.exe | ID = 0
Description =

Error - 22.11.2011 09:46:49 | Computer Name = ALEX | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The directory name is invalid.

Error - 22.11.2011 09:46:50 | Computer Name = ALEX | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The directory name is invalid.

[ System Events ]
Error - 24.11.2011 13:46:52 | Computer Name = ALEX | Source = Service Control Manager | ID = 7000
Description = The Serviciul Google Update (gupdate1ca7a958c0154f6) service failed
to start due to the following error: %%1053

Error - 24.11.2011 13:46:52 | Computer Name = ALEX | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 24.11.2011 13:46:52 | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 24.11.2011 13:55:09 | Computer Name = ALEX | Source = Service Control Manager | ID = 7034
Description = The COMODO livePCsupport Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 24.11.2011 13:55:17 | Computer Name = ALEX | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 25.11.2011 08:50:14 | Computer Name = ALEX | Source = Service Control Manager | ID = 7000
Description = The WebClient service failed to start due to the following error:
%%1290

Error - 25.11.2011 08:50:14 | Computer Name = ALEX | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Serviciul Google Update
(gupdate1ca7a958c0154f6) service to connect.

Error - 25.11.2011 08:50:14 | Computer Name = ALEX | Source = Service Control Manager | ID = 7000
Description = The Serviciul Google Update (gupdate1ca7a958c0154f6) service failed
to start due to the following error: %%1053

Error - 25.11.2011 08:50:14 | Computer Name = ALEX | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 25.11.2011 08:50:14 | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747


< End of report >

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 25 November 2011 - 03:19 PM

Hi, please do the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    IE - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - Reg Error: Value error. File not found
    O3 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
    O3 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - Reg Error: Value error. File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-515967899-1078081533-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [emptyflash]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 prolex

prolex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 26 November 2011 - 02:52 AM

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\ not found.
Registry value HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
C:\Documents and Settings\alex\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\alex\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 41044 bytes

User: alex
->Flash cache emptied: 783 bytes

User: All Users

User: Default User
->Flash cache emptied: 41044 bytes

User: LocalService
->Flash cache emptied: 405 bytes

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 100864 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: alex
->Temp folder emptied: 5193026 bytes
->Temporary Internet Files folder emptied: 751745 bytes
->Java cache emptied: 20102765 bytes
->FireFox cache emptied: 42743208 bytes
->Google Chrome cache emptied: 14643085 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 10456333 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 915446 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 187934 bytes
RecycleBin emptied: 159754 bytes

Total Files Cleaned = 93,00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 11262011_082604

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





ComboFix 11-11-25.02 - alex 26.11.2011 8:58.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.168 [GMT 2:00]
Running from: c:\documents and settings\alex\Desktop\ComboFix.exe
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2011-10-26 to 2011-11-26 )))))))))))))))))))))))))))))))
.
.
2011-11-26 06:06 . 2011-11-26 06:06 -------- d-----w- C:\_OTL
2011-11-24 18:13 . 2011-11-24 18:13 -------- d-----w- C:\logs
2011-11-23 15:52 . 2011-11-23 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-23 14:49 . 2011-11-23 14:49 -------- d-----w- c:\documents and settings\Administrator
2011-11-22 14:25 . 2011-11-22 14:25 -------- d-----w- c:\program files\Sophos
2011-11-21 18:21 . 2011-11-21 18:21 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2011-11-21 18:17 . 2011-11-21 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-11-21 18:17 . 2011-11-21 18:32 -------- d-----w- c:\program files\COMODO
2011-11-21 18:17 . 2011-11-21 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2011-11-21 17:56 . 2011-11-21 17:56 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-11-21 17:56 . 2011-11-21 17:56 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-11-21 17:20 . 2011-11-21 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-11-21 16:53 . 2011-11-21 17:15 -------- d-----w- c:\program files\PC Tools Security
2011-11-21 15:46 . 2011-11-21 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-11-21 15:46 . 2011-11-21 15:46 -------- d-----w- c:\program files\Common Files\iS3
2011-11-21 14:57 . 2011-11-21 14:57 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Threat Expert
2011-11-21 14:53 . 2011-11-21 16:12 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Google
2011-11-21 14:45 . 2011-11-21 15:51 -------- d-----w- c:\program files\PC Tools
2011-11-21 14:44 . 2011-11-21 17:15 -------- d-----w- c:\program files\Common Files\PC Tools
2011-11-21 14:44 . 2011-10-28 09:02 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-11-21 14:43 . 2011-11-21 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-21 14:43 . 2011-11-21 14:43 -------- d-----w- c:\documents and settings\alex\Application Data\TestApp
2011-11-21 14:10 . 2011-11-21 14:10 71880 ----a-w- c:\windows\system32\PxSecure.dll-111328
2011-11-21 14:10 . 2011-11-21 14:10 76696 ------w- c:\windows\system32\drivers\pxrts.sys
2011-11-21 14:10 . 2011-11-21 14:10 -------- d-----w- c:\program files\Prevx
2011-11-21 14:10 . 2011-11-21 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2011-11-21 13:59 . 2011-11-21 13:59 2 --shatr- c:\windows\winstart.bat
2011-11-21 13:59 . 2011-11-21 14:23 -------- d-----w- c:\program files\UnHackMe
2011-11-21 12:48 . 2011-11-21 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-21 12:48 . 2011-11-21 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-21 12:24 . 2011-11-21 12:24 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-21 12:24 . 2011-11-21 12:24 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-11-21 12:23 . 2011-11-21 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-11-20 19:49 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 17:54 . 2011-11-20 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2011-11-20 17:52 . 2011-11-20 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2011-11-20 17:51 . 2011-11-21 17:44 -------- d-----w- c:\documents and settings\alex\Application Data\IObit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-13 11:58 . 2004-08-04 12:00 163644 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-10-12 13:51 . 2011-07-15 18:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 16:48 . 2011-10-07 16:48 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-10-07 16:48 . 2011-10-07 16:48 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 16:48 . 2011-10-07 16:48 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 16:48 . 2011-10-07 16:48 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 16:47 . 2011-10-07 16:47 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 16:47 . 2011-10-07 16:47 300200 ----a-w- c:\windows\system32\guard32.dll
2011-11-09 16:09 . 2011-08-20 15:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 2497352]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO]
2011-05-26 03:43 208184 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA]
2011-05-26 03:43 182584 ----a-w- c:\program files\COMODO\COMODO GeekBuddy\VALA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-06-11 19:28 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-11-21 16:11 136176 ----atw- c:\documents and settings\alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
2007-04-30 08:19 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
2007-06-11 19:27 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 15:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-21 22:18 6276408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 10:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 10:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 10:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2011-08-13 14:12 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2003-05-05 05:57 143360 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
2005-09-14 18:44 65536 ------w- c:\windows\UMStor\Res.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2011-07-11 21:47 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"e:\\hlds\\hlds.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Documents and Settings\\alex\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"d:\\cs\\hl.exe"=
"d:\\cs\\hlds.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddwbgw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16694:TCP"= 16694:TCP:BitComet 16694 TCP
"16694:UDP"= 16694:UDP:BitComet 16694 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"58040:TCP"= 58040:TCP:Pando Media Booster
"58040:UDP"= 58040:UDP:Pando Media Booster
"58491:TCP"= 58491:TCP:Pando Media Booster
"58491:UDP"= 58491:UDP:Pando Media Booster
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6892:TCP"= 6892:TCP:League of Legends Launcher
"6892:UDP"= 6892:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"6906:TCP"= 6906:TCP:League of Legends Launcher
"6906:UDP"= 6906:UDP:League of Legends Launcher
"57333:TCP"= 57333:TCP:Pando Media Booster
"57333:UDP"= 57333:UDP:Pando Media Booster
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"6905:TCP"= 6905:TCP:League of Legends Launcher
"6905:UDP"= 6905:UDP:League of Legends Launcher
"57685:TCP"= 57685:TCP:Pando Media Booster
"57685:UDP"= 57685:UDP:Pando Media Booster
"57853:TCP"= 57853:TCP:Pando Media Booster
"57853:UDP"= 57853:UDP:Pando Media Booster
"27221:TCP"= 27221:TCP:BitComet 27221 TCP
"27221:UDP"= 27221:UDP:BitComet 27221 UDP
"56760:TCP"= 56760:TCP:Pando Media Booster
"56760:UDP"= 56760:UDP:Pando Media Booster
"56377:TCP"= 56377:TCP:Pando Media Booster
"56377:UDP"= 56377:UDP:Pando Media Booster
"1080:TCP"= 1080:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [05.05.2011 18:33 14776]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [07.10.2011 18:48 492768]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [07.10.2011 18:48 31704]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [26.05.2011 05:43 154424]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [15.07.2011 16:05 2304]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [28.09.2008 19:05 99248]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [03.05.2010 19:22 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20.11.2011 21:49 22216]
S1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys --> c:\windows\system32\DRIVERS\amdtools.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.03.2010 13:16 130384]
S2 gupdate1ca7a958c0154f6;Serviciul Google Update (gupdate1ca7a958c0154f6);c:\program files\Google\Update\GoogleUpdate.exe [27.05.2010 20:18 135664]
S3 apf001;apf001;\??\e:\rakionis\Bin\apf001.sys --> e:\rakionis\Bin\apf001.sys [?]
S3 DrvAgent32;DrvAgent32;\??\c:\windows\system32\Drivers\DrvAgent32.sys --> c:\windows\system32\Drivers\DrvAgent32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\alex\LOCALS~1\Temp\FSV4A.tmp --> c:\docume~1\alex\LOCALS~1\Temp\FSV4A.tmp [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1D.tmp --> c:\windows\system32\1D.tmp [?]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [21.11.2011 20:21 53248]
S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.03.2010 13:16 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva288;XDva288;\??\c:\windows\system32\XDva288.sys --> c:\windows\system32\XDva288.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva365;XDva365;\??\c:\windows\system32\XDva365.sys --> c:\windows\system32\XDva365.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20.09.2008 17:07 691696]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]
.
2011-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 18:18]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-27 18:18]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003Core.job
- c:\documents and settings\alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-21 16:11]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1078081533-725345543-1003UA.job
- c:\documents and settings\alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-21 16:11]
.
2011-11-26 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-09-02 07:35]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{7517E597-E7E0-4CC4-BD8E-8A16F230D64B}: NameServer = 8.26.56.26 156.154.70.22
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.texkitty.com:81/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\alex\Application Data\Mozilla\Firefox\Profiles\m51knun6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-IObit Security 360 - c:\program files\IObit\IObit Security 360\IS360tray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-26 09:31
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\alex\LOCALS~1\Temp\FSV4A.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-515967899-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F57188C1-1C94-DF1B-9ADD-A67C5E3293C8}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(456)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2011-11-26 09:47:11
ComboFix-quarantined-files.txt 2011-11-26 07:46
.
Pre-Run: 2.386.739.200 bytes free
Post-Run: 2.363.637.760 bytes free
.
- - End Of File - - 679A422F2EC9BFC8A622F9028692BF65

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 26 November 2011 - 11:10 AM

Please delete the copy of TDSSKiller that you have on your desktop and download a fresh copy, see if it will run now


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 prolex

prolex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 26 November 2011 - 01:09 PM

Hello,
Thank you for helping!

Here are some issues that I noticed:
Rarely, I am redirected to random websites.
When I am on bleepingcomputer.com my browser closes.(this started to happen recently)
I receive messages from malwarebytes according to which,malwarebytes blocked the access to a potentially malicious website.
IEXPLORE.exe process keeps coming up on my task manager.

I couldn't run TDSSkiller.



I'm sorry but I forgot to change the language.
Malwarebytes did not find anything:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Versiunea bazei de date: 8248

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

26.11.2011 18:50:48
mbam-log-2011-11-26 (18-50-48).txt

Modul de scanare: Scanare rapida
Obiecte scanate: 169524
Timp trecut: 9 minute, 9 secunde

Procese din Memorie Infectate: 0
Module de Memorie Infectate: 0
Chei de Registru Infectate: 0
Valori de Registru Infectate: 0
Date din Registru Infectate: 0
Foldere Infectate: 0
Fisiere Infectate: 0

Procese din Memorie Infectate:
(Nu au fost detectate obiecte malicioase)

Module de Memorie Infectate:
(Nu au fost detectate obiecte malicioase)

Chei de Registru Infectate:
(Nu au fost detectate obiecte malicioase)

Valori de Registru Infectate:
(Nu au fost detectate obiecte malicioase)

Date din Registru Infectate:
(Nu au fost detectate obiecte malicioase)

Foldere Infectate:
(Nu au fost detectate obiecte malicioase)

Fisiere Infectate:
(Nu au fost detectate obiecte malicioase)




ESETSCAN log:
C:\Program Files\Cheat Engine 6.1\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB application
D:\de pe net\CheatEngine61.exe a variant of Win32/HackTool.CheatEngine.AB application
D:\de pe net\winamp5621_full_emusic-7plus_all.exe Win32/OpenCandy application

Edited by prolex, 26 November 2011 - 01:11 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 26 November 2011 - 03:04 PM

You may have the new variant of the zero access infection that creates a hidden partition as TDSSKiller wont run and you are still being redirected, please run the following:


  • Please download GetPartitions from here
  • You must right click on the link and choose Save as....
  • Save it as GetPartitions.bat to your desktop
  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator").
  • It will produce a log on your C:\ drive C:\DiskReport.txt
  • please navigate to that file and post the contents of the log in your next reply


NEXT


Please do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 prolex

prolex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 27 November 2011 - 02:02 AM

Microsoft DiskPart version 5.1.3565

Copyright © 1999-2003 Microsoft Corporation.
On computer: ALEX

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C NTFS Partition 12 GB Healthy System
Volume 1 D NTFS Partition 33 GB Healthy
Volume 2 E NTFS Partition 32 GB Healthy

Attached Files


Edited by prolex, 27 November 2011 - 02:12 AM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 27 November 2011 - 10:43 AM

Hi,

That looks fine, but the fact you still can't run TDSSKiller is troublesome

Please run the following:

Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you dont know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

NEXT

  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.



NEXT


  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 prolex

prolex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 27 November 2011 - 12:54 PM

I couldn't reset my router because I don't have one,but I have dynamic ip address(if it helps).
I tried to run aswMBR.exe but I have not been successful.It doesn't want to start.

Edited by prolex, 27 November 2011 - 12:56 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 27 November 2011 - 04:19 PM

I'd like to get a dump of the MBR outside of the Windows environment.

You will need a CD

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.


NEXT

  • Boot the infected computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Click on File
  • Expand mnt
  • sda1 or sda2 will usually correspond to your HDD
  • expand the folder that corresponds to your harddrive.
  • Press Tool on the top menu bar
  • Choose Open Terminal
  • Type dd if=/dev/sda of=mbr.bin bs=512 count=1

This will place a back-up of your MBR on your harddrive it will be called C:/mbr.bin


Now exit > Home > reboot (remove the CD so your computer will boot normally)

Please attach that file to your next post

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:44 PM

Posted 05 December 2011 - 03:48 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users