Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with System Fix and cannot run tdsskiller


  • This topic is locked This topic is locked
10 replies to this topic

#1 goldenrose

goldenrose

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 17 December 2011 - 04:50 PM

1. I have a pc with windows xp.
2.While on the internet I recieved massages from System Fix, googled to see what it is about and found your "remove system fix (uninstall guide). The messages I've recieved were exactly as described on your guide. I followed steps 1-5 in the guide (rebooted into safe mode and ran rkill). I could not run TDSS.exe or zip even after renaming after download, renaming before download or after installing a renamed file from a disk-on-key (I downloaded the file on a disinfected computer).
3. I downloaded, renamed and ran the kaspersky virus removal tool. It recognized a trojan (don't remember the details) which it could not disinfect. I was asked to reeboot so that it will be deleated on restart. I did it, then ran the rkill again and the virus removal tool which did not find anything then. TDSSkiller could not run still, but now I got a message that it cannot run on safe mode or that some part of the file is missing. I was afraid to try and operate to computer not on a safe mode.
4. Following instructions on kaspersky forum I downloaded and tried to run combofix. I recieved a message that my eset nod32 is working. I did not realize I should disable it since it is out of date and I though it was inactive. I could not find it or disactivate it, or stop combofix. The computer got stuck, I don't know in what stage. I turned it off manualy and turned it on again.
5. I repeated running rkill but still could not run TDSSkiller in any form. I tried to go on and install malwarebytes. I suceeded installing it only under the name "explorer.exe" but could not activate it since the file was corrupted (I recieved the same error message on my disinfected computer so I don't know whether there are problems with the download from the site).
6. I downloaded but couldn't run the dds. I only recieved a ###### on the log file. I downloaded and ran the gmer. The log file is attached.
7. Then I wrote you. I hope you can help me...

Attached Files

  • Attached File  ark.txt   3.93KB   1 downloads


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:23 PM

Posted 17 December 2011 - 06:12 PM

:welcome:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    netsvcs
    set /c
    /md5start
    UXTHEME.DLL
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    Userinit.exe
    Explorer.exe
    Winlogon.exe
    Regedit.exe
    SCLWAPI.dll
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 goldenrose

goldenrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 December 2011 - 11:37 PM

Thank you very much for the quick response.This is the otl.txt. It took 15 minutes to run the otl. TAttached File  Extras.Txt   33.22KB   2 downloadshe other file is attached:
OTL logfile created on: 19/12/2011 06:07:56 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\שולחן העבודה
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

223.48 Mb Total Physical Memory | 14.46 Mb Available Physical Memory | 6.47% Memory free
562.51 Mb Paging File | 170.76 Mb Available in Paging File | 30.36% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 55.72 Gb Free Space | 74.77% Space Free | Partition Type: NTFS
Drive E: | 256.48 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HOME-YLPK6ATUHR | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/19 05:52:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
PRC - [2007/06/13 15:21:34 | 001,201,664 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlusHelper) getPlus®
SRV - [2011/06/26 08:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\123\pev.3XE -- (PEVSystemStart)
SRV - [2008/08/18 13:30:58 | 000,019,200 | -H-- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2008/08/18 13:25:10 | 000,468,224 | -H-- | M] (ESET) [Auto | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/05/16 09:41:18 | 000,029,704 | -H-- | M] (TuneUp Software GmbH) [Auto | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2004/02/26 09:52:00 | 000,049,152 | -H-- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2002/03/15 22:37:46 | 000,081,920 | RH-- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (All) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SetupNTGLM7X)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (PCIIde)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NTACCESS)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (i2omp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (hpt3xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (hpn)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (GMSIPCI)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Abiosdsk)
DRV - [2011/08/02 17:38:56 | 000,042,496 | -H-- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2010/02/24 14:31:30 | 000,454,016 | -H-- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2010/01/09 21:03:06 | 000,018,304 | RH-- | M] (BCPC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\memoqdrv.sys -- (MEMOQDRV)
DRV - [2009/12/31 18:14:12 | 000,352,640 | -H-- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srv.sys -- (Srv)
DRV - [2009/10/20 16:58:48 | 000,263,552 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\http.sys -- (HTTP)
DRV - [2009/06/22 13:34:52 | 000,092,544 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\ksecdd.sys -- (KSecDD)
DRV - [2009/05/18 13:17:00 | 000,026,600 | -H-- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/08/18 13:27:42 | 000,034,312 | -H-- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2008/08/18 13:19:26 | 000,053,256 | -H-- | M] (ESET) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2008/08/18 13:18:26 | 000,039,944 | -H-- | M] (ESET) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/08/14 11:51:43 | 000,138,368 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2008/06/20 12:45:13 | 000,360,320 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip.sys -- (Tcpip)
DRV - [2007/12/18 11:51:35 | 000,179,584 | -H-- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2007/11/13 12:25:54 | 000,020,480 | -H-- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/04/23 12:32:54 | 000,364,160 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\update.sys -- (Update)
DRV - [2007/02/09 13:10:35 | 000,574,464 | -H-- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\ntfs.sys -- (Ntfs)
DRV - [2006/08/21 11:14:58 | 000,128,896 | -H-- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\fltmgr.sys -- (FltMgr)
DRV - [2006/06/14 11:00:45 | 000,082,944 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdmaud.sys -- (wdmaud)
DRV - [2006/06/14 10:47:46 | 000,006,400 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\splitter.sys -- (splitter)
DRV - [2006/06/14 10:47:45 | 000,172,416 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kmixer.sys -- (kmixer)
DRV - [2006/05/10 07:46:44 | 000,082,380 | -H-- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2006/05/05 11:47:57 | 000,174,592 | -H-- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\rdbss.sys -- (Rdbss)
DRV - [2006/02/15 02:22:26 | 000,142,464 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)
DRV - [2005/09/18 18:46:40 | 000,009,856 | -H-- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2005/06/10 06:11:09 | 000,139,528 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\rdpwd.sys -- (RDPWD)
DRV - [2004/09/30 00:28:37 | 000,134,912 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipnat.sys -- (IpNat)
DRV - [2004/08/27 02:53:40 | 000,021,896 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\tdtcp.sys -- (TDTCP)
DRV - [2004/08/27 02:53:39 | 000,040,840 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\termdd.sys -- (TermDD)
DRV - [2004/08/27 02:53:39 | 000,012,040 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\tdpipe.sys -- (TDPIPE)
DRV - [2004/08/27 02:49:29 | 000,024,448 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass)
DRV - [2004/08/27 02:49:24 | 000,153,472 | -H-- | M] (Microsoft Corp., Veritas Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmio.sys -- (dmio)
DRV - [2004/08/27 02:49:22 | 000,799,872 | -H-- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2004/08/27 02:49:07 | 000,039,680 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\intelppm.sys -- (intelppm)
DRV - [2004/08/27 02:48:51 | 000,052,224 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\volsnap.sys -- (VolSnap)
DRV - [2004/08/27 02:48:45 | 000,063,744 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial)
DRV - [2004/08/27 02:48:28 | 000,051,200 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2004/08/27 02:48:11 | 000,056,960 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2004/08/27 02:47:44 | 000,038,912 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\processr.sys -- (Processor)
DRV - [2004/08/27 02:47:29 | 000,073,344 | -H-- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sr.sys -- (sr)
DRV - [2004/08/27 02:47:19 | 000,022,912 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass)
DRV - [2004/08/27 02:47:17 | 000,030,080 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\modem.sys -- (Modem)
DRV - [2004/08/27 02:47:12 | 000,119,552 | -H-- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2004/08/27 02:47:10 | 000,067,456 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\pci.sys -- (PCI)
DRV - [2004/08/27 02:47:07 | 000,187,264 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ACPI.sys -- (ACPI)
DRV - [2004/08/27 02:47:04 | 000,079,872 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2004/08/04 08:15:55 | 000,060,800 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sysaudio.sys -- (sysaudio)
DRV - [2004/08/04 08:15:20 | 000,107,904 | -H-- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\mup.sys -- (Mup)
DRV - [2004/08/04 08:14:37 | 000,162,816 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2004/08/04 08:14:31 | 000,091,776 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2004/08/04 08:14:28 | 000,182,912 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\ndis.sys -- (NDIS)
DRV - [2004/08/04 08:14:28 | 000,074,752 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2004/08/04 08:14:26 | 000,048,384 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspptp.sys -- (PptpMiniport) WAN Miniport (PPTP)
DRV - [2004/08/04 08:14:22 | 000,051,328 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rasl2tp.sys -- (Rasl2tp) WAN Miniport (L2TP)
DRV - [2004/08/04 08:14:16 | 000,143,360 | -H-- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\fastfat.sys -- (Fastfat)
DRV - [2004/08/04 08:14:10 | 000,063,744 | -H-- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\cdfs.sys -- (Cdfs)
DRV - [2004/08/04 08:10:28 | 000,085,376 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nabtsfec.sys -- (NABTSFEC)
DRV - [2004/08/04 08:10:21 | 000,019,328 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wstcodec.sys -- (WSTCODEC)
DRV - [2004/08/04 08:10:16 | 000,017,024 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdecode.sys -- (CCDECODE)
DRV - [2004/08/04 08:10:16 | 000,011,136 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slip.sys -- (SLIP)
DRV - [2004/08/04 08:10:12 | 000,015,360 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\streamip.sys -- (streamip)
DRV - [2004/08/04 08:10:12 | 000,010,880 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ndisip.sys -- (NdisIP)
DRV - [2004/08/04 08:10:10 | 000,048,128 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2004/08/04 08:10:10 | 000,038,912 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2004/08/04 08:10:08 | 000,061,056 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ohci1394.sys -- (ohci1394)
DRV - [2004/08/04 08:09:58 | 000,051,328 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2004/08/04 08:08:46 | 000,031,616 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbccgp.sys -- (usbccgp)
DRV - [2004/08/04 08:08:46 | 000,026,496 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBSTOR.SYS -- (USBSTOR)
DRV - [2004/08/04 08:08:42 | 000,057,600 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbhub.sys -- (usbhub)
DRV - [2004/08/04 08:08:37 | 000,026,624 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbehci.sys -- (usbehci)
DRV - [2004/08/04 08:08:37 | 000,020,480 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2004/08/04 08:07:57 | 000,002,944 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\drmkaud.sys -- (drmkaud)
DRV - [2004/08/04 08:07:56 | 000,059,264 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/04 08:07:47 | 000,015,488 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mssmbios.sys -- (mssmbios)
DRV - [2004/08/04 08:07:42 | 000,042,240 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp.sys -- (viaagp)
DRV - [2004/08/04 08:07:38 | 000,052,864 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dmusic.sys -- (DMusic)
DRV - [2004/08/04 08:07:06 | 000,020,992 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vga.sys -- (VgaSave)
DRV - [2004/08/04 08:05:07 | 000,041,472 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspppoe.sys -- (RasPppoe)
DRV - [2004/08/04 08:05:03 | 000,014,336 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2004/08/04 08:04:57 | 000,034,560 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanarp.sys -- (Wanarp)
DRV - [2004/08/04 08:04:45 | 000,020,992 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2004/08/04 08:04:19 | 000,069,120 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psched.sys -- (PSched)
DRV - [2004/08/04 08:04:12 | 000,035,072 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msgpc.sys -- (Gpc)
DRV - [2004/08/04 08:03:21 | 000,034,560 | -H-- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\netbios.sys -- (NetBIOS)
DRV - [2004/08/04 08:03:12 | 000,012,928 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisuio.sys -- (Ndisuio)
DRV - [2004/08/04 08:01:24 | 000,025,856 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbprint.sys -- (usbprint)
DRV - [2004/08/04 08:01:15 | 000,196,864 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rdpdr.sys -- (rdpdr)
DRV - [2004/08/04 08:00:46 | 000,011,264 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2004/08/04 08:00:43 | 000,030,848 | -H-- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\npfs.sys -- (Npfs)
DRV - [2004/08/04 08:00:41 | 000,019,072 | -H-- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\msfs.sys -- (Msfs)
DRV - [2004/08/04 08:00:31 | 000,066,176 | -H-- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\udfs.sys -- (Udfs)
DRV - [2004/08/04 08:00:15 | 000,041,856 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2004/08/04 08:00:06 | 000,029,056 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (ip6fw)
DRV - [2004/08/04 07:59:54 | 000,036,352 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\disk.sys -- (Disk)
DRV - [2004/08/04 07:59:54 | 000,011,392 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfloppy.sys -- (Sfloppy)
DRV - [2004/08/04 07:59:52 | 000,049,536 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2004/08/04 07:59:42 | 000,095,360 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\atapi.sys -- (atapi)
DRV - [2004/08/04 07:59:27 | 000,027,392 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fdc.sys -- (Fdc)
DRV - [2004/08/04 07:59:27 | 000,020,480 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\flpydisk.sys -- (Flpydisk)
DRV - [2004/08/04 07:59:07 | 000,015,488 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\serenum.sys -- (serenum)
DRV - [2004/08/04 07:58:46 | 000,015,104 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbscan.sys -- (usbscan)
DRV - [2004/08/04 07:58:41 | 000,007,552 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mskssrv.sys -- (MSKSSRV)
DRV - [2004/08/04 07:58:41 | 000,004,352 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swenum.sys -- (swenum)
DRV - [2004/08/04 07:58:40 | 000,004,992 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspqm.sys -- (MSPQM)
DRV - [2004/08/04 07:58:38 | 000,005,504 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mstee.sys -- (MSTEE)
DRV - [2004/08/04 07:58:38 | 000,005,376 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspclock.sys -- (MSPCLOCK)
DRV - [2004/08/04 07:58:30 | 000,059,904 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc)
DRV - [2004/08/04 07:58:30 | 000,042,240 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\mountmgr.sys -- (MountMgr)
DRV - [2004/08/04 07:58:29 | 000,061,824 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nic1394.sys -- (NIC1394)
DRV - [2004/08/04 07:58:29 | 000,060,800 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\arp1394.sys -- (Arp1394)
DRV - [2003/07/02 04:42:00 | 000,027,904 | -H-- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/06/16 05:05:40 | 000,369,920 | RH-- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2003/05/27 16:45:06 | 000,003,351 | -H-- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vsp.sys -- (Vsp)
DRV - [2003/04/21 07:54:20 | 000,166,784 | RH-- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2002/03/21 19:37:52 | 000,016,112 | RH-- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2002/03/08 12:49:26 | 000,022,512 | RH-- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2002/02/15 20:26:22 | 000,050,960 | RH-- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2001/10/18 12:00:00 | 000,006,144 | -H-- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2001/09/19 14:00:00 | 000,125,056 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ftdisk.sys -- (Ftdisk)
DRV - [2001/09/19 14:00:00 | 000,038,016 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2001/09/19 14:00:00 | 000,034,944 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\fips.sys -- (Fips)
DRV - [2001/09/19 14:00:00 | 000,032,896 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2001/09/19 14:00:00 | 000,032,512 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkfwd.sys -- (NwlnkFwd)
DRV - [2001/09/19 14:00:00 | 000,018,688 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\partmgr.sys -- (PartMgr)
DRV - [2001/09/19 14:00:00 | 000,018,688 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdaudio.sys -- (Cdaudio)
DRV - [2001/09/19 14:00:00 | 000,017,792 | -H-- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/09/19 14:00:00 | 000,016,512 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspti.sys -- (Raspti)
DRV - [2001/09/19 14:00:00 | 000,013,952 | -H-- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2001/09/19 14:00:00 | 000,012,416 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkflt.sys -- (NwlnkFlt)
DRV - [2001/09/19 14:00:00 | 000,012,032 | -H-- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ws2ifsl.sys -- (WS2IFSL)
DRV - [2001/09/19 14:00:00 | 000,011,648 | -H-- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2001/09/19 14:00:00 | 000,009,600 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndistapi.sys -- (NdisTapi)
DRV - [2001/09/19 14:00:00 | 000,008,832 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)
DRV - [2001/09/19 14:00:00 | 000,006,784 | -H-- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\parvdm.sys -- (ParVdm)
DRV - [2001/09/19 14:00:00 | 000,005,888 | -H-- | M] (Microsoft Corp., Veritas Software.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmload.sys -- (dmload)
DRV - [2001/09/19 14:00:00 | 000,004,224 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rdpcdd.sys -- (RDPCDD)
DRV - [2001/09/19 14:00:00 | 000,004,224 | -H-- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\mnmdd.sys -- (mnmdd)
DRV - [2001/09/19 14:00:00 | 000,004,224 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\beep.sys -- (Beep)
DRV - [2001/09/19 14:00:00 | 000,002,944 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\null.sys -- (Null)
DRV - [2001/09/18 17:31:18 | 000,907,456 | -H-- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/09/18 15:10:24 | 000,035,840 | -H-- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\isapnp.sys -- (isapnp)
DRV - [2001/08/17 15:59:44 | 000,003,072 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)
DRV - [2001/08/17 14:13:08 | 000,027,165 | -H-- | M] (VIA Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS)
DRV - [2001/08/17 14:00:52 | 000,054,272 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmidi.sys -- (swmidi)
DRV - [2001/08/17 13:56:16 | 000,007,552 | -H-- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://il.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = he
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E 1C F0 42 CE BC CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/04/19 03:03:08 | 000,000,000 | -H-D | M]


O1 HOSTS File: ([2001/09/19 14:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (AGFormHelperObj Class) - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\Program Files\agat\AGForm\AGFormsHelper.dll (Agat)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AGForms) - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll (Agat)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127058793585 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588 (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9E3DCF64-36B7-42F9-A413-6E8E2F74B534}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\lid {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) -C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corp.)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - כלי הטעינה מראש של Browseui - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - שרת (Daemon) של מטמון קטגוריות רכיבים - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) -C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) -C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) -C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/18 16:31:16 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2000/05/16 13:54:06 | 000,094,208 | R--- | M] (Humongous Entertainment) - E:\AUTOPUTT.EXE -- [ CDFS ]
O32 - AutoRun File - [2002/05/28 18:15:56 | 000,000,381 | R--- | M] () - E:\autoputt.inf -- [ CDFS ]
O32 - AutoRun File - [2002/06/08 13:08:56 | 000,084,806 | R--- | M] () - E:\autoputt.pcx -- [ CDFS ]
O32 - AutoRun File - [2000/02/22 19:09:18 | 000,000,051 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software GmbH)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/12/19 05:52:34 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
[2011/12/17 22:28:48 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
[2011/12/17 22:26:25 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe
[2011/12/17 22:25:21 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\userinit.exe
[2011/12/17 22:23:01 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe.exe
[2011/12/17 20:41:50 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/12/17 20:34:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/17 20:34:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/17 20:34:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/17 20:34:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/12/17 20:32:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/17 20:32:52 | 000,000,000 | --SD | C] -- C:\123
[2011/12/17 20:08:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\כלי ניהול
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2011/12/17 20:06:49 | 004,341,982 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.exe
[2011/12/17 19:59:59 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\hadastupid.com
[2011/12/17 19:53:52 | 004,341,982 | ---- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\combofix.exe
[2011/12/17 19:28:46 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\stupid.exe
[2011/12/17 17:44:45 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\iexplore.com.exe
[2011/12/17 17:31:40 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe
[2011/12/17 17:00:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/12/17 16:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2011/12/17 16:59:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2011/12/17 16:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2011/12/17 16:59:20 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2011/12/17 16:59:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2011/12/17 16:59:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\My Documents
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Favorites
[2011/12/17 16:59:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה
[2011/12/17 16:59:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\עזרים
[2011/12/17 16:59:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\הפעלה
[2011/12/17 16:59:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2011/12/17 16:59:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\שולחן העבודה
[2011/12/17 16:59:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2011/12/17 16:59:19 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/12/17 16:59:05 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/19 05:52:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
[2011/12/19 05:47:37 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/19 05:46:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/17 22:35:26 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\b47h12dm.exe
[2011/12/17 22:28:57 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
[2011/12/17 22:26:25 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe
[2011/12/17 22:25:21 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\userinit.exe
[2011/12/17 22:23:02 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe.exe
[2011/12/17 20:42:08 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/12/17 20:06:49 | 004,341,982 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.exe
[2011/12/17 19:59:59 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\hadastupid.com
[2011/12/17 19:53:52 | 004,341,982 | ---- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\combofix.exe
[2011/12/17 19:42:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\WinZip File חדש.zip
[2011/12/17 19:41:53 | 000,000,058 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\Wave Sound חדש.wav
[2011/12/17 18:35:47 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/12/17 18:35:40 | 000,000,912 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/17 18:19:01 | 106,727,056 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\setup_11.0.0.1245.x01_2011_12_17_18_24.exe
[2011/12/17 17:44:45 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\iexplore.com.exe
[2011/12/17 17:43:13 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe
[2011/12/17 17:26:42 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\stupid.exe
[2011/12/17 17:03:20 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\iExplore.exe
[2011/12/17 16:02:01 | 000,000,916 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/17 09:52:51 | 000,000,456 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj
[2011/12/17 09:52:48 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBj
[2011/12/17 09:52:47 | 000,000,184 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBjr
[2011/12/17 09:42:09 | 000,350,472 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj.exe
[2011/11/25 17:16:23 | 000,000,388 | -H-- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/17 22:35:17 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\b47h12dm.exe
[2011/12/17 20:42:06 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/12/17 20:41:53 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/12/17 20:34:25 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/17 20:34:25 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/17 20:34:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/17 20:34:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/17 20:34:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/17 19:42:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\WinZip File חדש.zip
[2011/12/17 19:41:53 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\Wave Sound חדש.wav
[2011/12/17 18:18:30 | 106,727,056 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\setup_11.0.0.1245.x01_2011_12_17_18_24.exe
[2011/12/17 17:03:15 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\iExplore.exe
[2011/12/17 16:59:21 | 000,001,599 | -H-- | C] () -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\סיוע מרחוק.lnk
[2011/12/17 16:59:21 | 000,000,792 | -H-- | C] () -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\Windows Media Player.lnk
[2011/12/17 09:42:23 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBj
[2011/12/17 09:42:23 | 000,000,184 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBjr
[2011/12/17 09:42:14 | 000,000,456 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj
[2011/12/17 09:42:09 | 000,350,472 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj.exe
[2011/10/28 20:45:22 | 000,061,132 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/28 23:46:32 | 000,000,748 | -H-- | C] () -- C:\WINDOWS\LMAAL2DD.ini
[2009/12/22 18:45:56 | 000,000,594 | -H-- | C] () -- C:\WINDOWS\hegames.ini
[2008/08/18 13:27:42 | 000,034,312 | -H-- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2007/06/24 03:20:47 | 000,000,049 | -H-- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/13 21:27:09 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/21 11:23:17 | 000,000,305 | -H-- | C] () -- C:\WINDOWS\qtw.ini
[2006/05/10 08:57:27 | 000,233,525 | -H-- | C] () -- C:\WINDOWS\System32\isutil.dll
[2006/05/10 08:57:25 | 000,000,271 | -H-- | C] () -- C:\WINDOWS\apptune.ini
[2006/05/10 07:50:44 | 000,000,158 | -H-- | C] () -- C:\WINDOWS\pagesuit.ini
[2006/05/10 07:50:42 | 000,023,040 | -H-- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2006/05/10 07:45:04 | 000,027,875 | -H-- | C] () -- C:\WINDOWS\hpoins01.dat
[2006/05/10 07:45:04 | 000,007,765 | -H-- | C] () -- C:\WINDOWS\hpomdl01.dat
[2006/05/10 07:40:58 | 000,552,960 | RH-- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2006/01/18 18:36:21 | 000,032,768 | -H-- | C] () -- C:\WINDOWS\closewnd.exe
[2005/09/18 19:10:22 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/09/18 18:22:36 | 000,000,385 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/18 18:00:36 | 000,205,312 | RH-- | C] () -- C:\WINDOWS\patchw32.dll
[2005/09/18 18:00:00 | 000,205,312 | RH-- | C] () -- C:\WINDOWS\pw32a.dll
[2005/09/18 17:51:24 | 000,032,768 | -H-- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2005/09/18 17:51:24 | 000,003,351 | -H-- | C] () -- C:\WINDOWS\System32\drivers\vsp.sys
[2005/09/18 17:45:55 | 000,004,293 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/09/18 17:45:10 | 000,363,520 | -H-- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/09/18 17:44:45 | 000,269,392 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/09/18 16:33:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/09/18 16:09:03 | 000,022,160 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/04/06 00:48:36 | 000,072,192 | -H-- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2002/03/21 15:39:02 | 000,073,728 | RH-- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2002/03/20 22:01:06 | 000,006,688 | RH-- | C] () -- C:\WINDOWS\System32\Digita.sys
[2002/03/20 22:00:20 | 000,049,152 | RH-- | C] () -- C:\WINDOWS\System32\TransportUSB.dll
[2002/03/20 22:00:20 | 000,049,152 | RH-- | C] () -- C:\WINDOWS\System32\TransportSerial.dll
[2002/03/20 22:00:20 | 000,049,152 | RH-- | C] () -- C:\WINDOWS\System32\TransportIrDA.dll
[2002/03/20 22:00:20 | 000,049,152 | RH-- | C] () -- C:\WINDOWS\System32\TransportIrCOMM.dll
[2001/09/19 14:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/09/19 14:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/09/19 14:00:00 | 000,432,356 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/09/19 14:00:00 | 000,345,584 | -H-- | C] () -- C:\WINDOWS\System32\perfh00d.dat
[2001/09/19 14:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/09/19 14:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/09/19 14:00:00 | 000,213,474 | -H-- | C] () -- C:\WINDOWS\System32\perfi00d.dat
[2001/09/19 14:00:00 | 000,067,312 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/09/19 14:00:00 | 000,067,296 | -H-- | C] () -- C:\WINDOWS\System32\perfc00d.dat
[2001/09/19 14:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/09/19 14:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd00d.dat
[2001/09/19 14:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/09/19 14:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/09/19 14:00:00 | 000,001,788 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/09/19 14:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========


< set /c >
No captured output from command...


< MD5 for: AGP440.SYS >
[2005/09/18 19:52:56 | 022,279,249 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2005/09/18 19:52:56 | 022,279,249 | -H-- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 20:36:38 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\agp440.sys
[2004/08/04 08:07:41 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 08:07:41 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 08:07:41 | 000,042,368 | -H-- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/09/18 19:52:56 | 022,279,249 | -H-- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2005/09/18 19:52:56 | 022,279,249 | -H-- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | -H-- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\atapi.sys
[2001/09/19 14:00:00 | 000,086,656 | -H-- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2001/09/19 14:00:00 | 000,086,656 | -H-- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2004/08/04 07:59:42 | 000,095,360 | -H-- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 07:59:42 | 000,095,360 | -H-- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/27 02:53:26 | 000,055,808 | -H-- | M] (Microsoft Corporation) MD5=2DCCBF3AF0DE3AB8C8889BD577FFE4E1 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/27 02:53:26 | 000,055,808 | -H-- | M] (Microsoft Corporation) MD5=2DCCBF3AF0DE3AB8C8889BD577FFE4E1 -- C:\WINDOWS\system32\eventlog.dll
[2008/04/14 04:17:19 | 000,056,320 | -H-- | M] (Microsoft Corporation) MD5=8BCD6F104BED7F1F1513584E9F56B69E -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\eventlog.dll
[2001/09/19 14:00:00 | 000,047,616 | -H-- | M] (Microsoft Corporation) MD5=C270A184E4E5F4CED2AF6221C9CE2C49 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2007/06/13 15:10:13 | 001,201,664 | -H-- | M] (Microsoft Corporation) MD5=1FB3EE7C4D70AACE3063A1E1E0FF7FCF -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2008/04/14 04:17:43 | 001,202,176 | -H-- | M] (Microsoft Corporation) MD5=468D2A8B5F62E25F81C3150263D8E558 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\explorer.exe
[2007/06/13 15:21:34 | 001,201,664 | -H-- | M] (Microsoft Corporation) MD5=7C66CE267EDD66607B2275FE44235A31 -- C:\WINDOWS\explorer.exe
[2007/06/13 15:21:34 | 001,201,664 | -H-- | M] (Microsoft Corporation) MD5=7C66CE267EDD66607B2275FE44235A31 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/27 02:53:30 | 001,200,640 | -H-- | M] (Microsoft Corporation) MD5=A275BB2B4CF43625B9F38AD312F5C5A6 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2004/08/27 02:53:30 | 001,200,640 | -H-- | M] (Microsoft Corporation) MD5=A275BB2B4CF43625B9F38AD312F5C5A6 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2001/09/19 14:00:00 | 001,169,408 | -H-- | M] (Microsoft Corporation) MD5=E2776B372125C7B74232143BD58FA80F -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: NETLOGON.DLL >
[2004/08/27 02:53:28 | 000,407,040 | -H-- | M] (Microsoft Corporation) MD5=7548247ECB9BBF590430B54E29448B9D -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/27 02:53:28 | 000,407,040 | -H-- | M] (Microsoft Corporation) MD5=7548247ECB9BBF590430B54E29448B9D -- C:\WINDOWS\system32\netlogon.dll
[2008/04/14 04:17:25 | 000,407,040 | -H-- | M] (Microsoft Corporation) MD5=89AC5ED8D0D035A9F9F2B10C51A76706 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\netlogon.dll
[2009/02/06 20:46:48 | 000,408,064 | -H-- | M] (Microsoft Corporation) MD5=DB06BAF4E42D8EE49DD6D0C6E0141B0D -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 20:46:48 | 000,408,064 | -H-- | M] (Microsoft Corporation) MD5=DB06BAF4E42D8EE49DD6D0C6E0141B0D -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2001/09/19 14:00:00 | 000,397,824 | -H-- | M] (Microsoft Corporation) MD5=F5A97D23D3AFAC4821E2486750C16B5C -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: REGEDIT.EXE >
[2004/08/27 02:53:32 | 000,145,408 | ---- | M] (Microsoft Corporation) MD5=0C54F7CDA047C436ADFC74CE24BB8028 -- C:\WINDOWS\regedit.exe
[2004/08/27 02:53:32 | 000,145,408 | -H-- | M] (Microsoft Corporation) MD5=0C54F7CDA047C436ADFC74CE24BB8028 -- C:\WINDOWS\ServicePackFiles\i386\regedit.exe
[2004/08/27 02:53:32 | 000,145,408 | -H-- | M] (Microsoft Corporation) MD5=0C54F7CDA047C436ADFC74CE24BB8028 -- C:\WINDOWS\system32\dllcache\regedit.exe
[2001/09/19 14:00:00 | 000,134,144 | -H-- | M] (Microsoft Corporation) MD5=A0A593527673046A3943E95F82CEC402 -- C:\WINDOWS\$NtServicePackUninstall$\regedit.exe
[2008/04/14 04:17:55 | 000,144,896 | -H-- | M] (Microsoft Corporation) MD5=BA9AF3B15C6A0366DD22895A452F98FD -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\regedit.exe

< MD5 for: SCECLI.DLL >
[2001/09/19 14:00:00 | 000,176,640 | -H-- | M] (Microsoft Corporation) MD5=96B99167677D6CF439B0EBE17AFE4C07 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/08/27 02:53:28 | 000,182,784 | -H-- | M] (Microsoft Corporation) MD5=B1A3BACF38964D06DE7BD42762DB8420 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/27 02:53:28 | 000,182,784 | -H-- | M] (Microsoft Corporation) MD5=B1A3BACF38964D06DE7BD42762DB8420 -- C:\WINDOWS\system32\scecli.dll
[2008/04/14 04:17:28 | 000,183,808 | -H-- | M] (Microsoft Corporation) MD5=E48B4FA40B6952B768A3AE0E9AAC5268 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\scecli.dll

< MD5 for: USERINIT.EXE >
[2001/09/19 14:00:00 | 000,021,504 | -H-- | M] (Microsoft Corporation) MD5=72042DBEB0B529D4D8879EDDB913A977 -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 04:18:00 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=82999E21E25EFAE373A36AE5740FAC71 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\userinit.exe
[2004/08/27 02:53:32 | 000,024,576 | -H-- | M] (Microsoft Corporation) MD5=82B1EC9AA0E7DBFCD4365B642E89409F -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2004/08/27 02:53:32 | 000,024,576 | -H-- | M] (Microsoft Corporation) MD5=82B1EC9AA0E7DBFCD4365B642E89409F -- C:\WINDOWS\system32\userinit.exe
[2011/12/17 22:25:21 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) MD5=893AC84A2BD011559A2B41C00543889A -- C:\Documents and Settings\Administrator\שולחן העבודה\userinit.exe

< MD5 for: UXTHEME.DLL >
[2008/04/14 04:17:30 | 000,218,624 | -H-- | M] (Microsoft Corporation) MD5=D4847BA3A13C890B34CEB5326465506D -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\uxtheme.dll
[2001/09/19 14:00:00 | 000,202,752 | -H-- | M] (Microsoft Corporation) MD5=F6EB669FF71712F21B00196ED73238D1 -- C:\WINDOWS\$NtServicePackUninstall$\uxtheme.dll
[2004/08/27 02:53:29 | 000,218,624 | -H-- | M] (Microsoft Corporation) MD5=F78A96AA47D39AF8FF7FF0B4434D35FA -- C:\WINDOWS\ServicePackFiles\i386\uxtheme.dll
[2004/08/27 02:53:29 | 000,218,624 | -H-- | M] (Microsoft Corporation) MD5=F78A96AA47D39AF8FF7FF0B4434D35FA -- C:\WINDOWS\system32\uxtheme.dll

< MD5 for: WINLOGON.EXE >
[2001/09/19 14:00:00 | 000,430,080 | -H-- | M] (Microsoft Corporation) MD5=2E6C85527F4EEDBBFFE4A60DB42C8A14 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2011/12/17 22:26:25 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) MD5=893AC84A2BD011559A2B41C00543889A -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe
[2008/04/14 04:18:01 | 000,504,320 | -H-- | M] (Microsoft Corporation) MD5=9DC7D2C3A0956A9FF82C4DD5596613A8 -- C:\WINDOWS\SoftwareDistribution\Download\d648f0416b372dbf4be389ca87755fd5\winlogon.exe
[2004/08/27 02:53:32 | 000,498,688 | -H-- | M] (Microsoft Corporation) MD5=E589065C107815A4F5DB393973A2B9B0 -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2004/08/27 02:53:32 | 000,498,688 | -H-- | M] (Microsoft Corporation) MD5=E589065C107815A4F5DB393973A2B9B0 -- C:\WINDOWS\system32\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2005/09/18 16:31:16 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
[2005/09/18 20:48:29 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/12/17 20:42:08 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2005/09/18 16:31:16 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
[2005/09/18 16:31:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005/09/18 16:31:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2005/09/18 19:57:24 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2005/09/18 19:57:24 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2011/12/19 06:01:04 | 369,098,752 | -HS- | M] () -- C:\pagefile.sys
[2011/12/19 05:57:15 | 000,000,359 | ---- | M] () -- C:\rkill.log

< %systemroot%\System32\config\*.sav >
[2005/09/18 17:43:39 | 000,094,208 | -H-- | M] () -- C:\WINDOWS\System32\config\default.sav
[2005/09/18 17:43:39 | 000,630,784 | -H-- | M] () -- C:\WINDOWS\System32\config\software.sav
[2005/09/18 17:43:39 | 000,389,120 | -H-- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job >
[2011/11/25 17:16:23 | 000,000,388 | -H-- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2011/10/28 19:55:38 | 000,000,284 | -H-- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2006/11/21 17:20:47 | 000,000,340 | -H-- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1147240256.job
[2011/12/17 18:35:40 | 000,000,912 | -H-- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
[2011/12/17 16:02:01 | 000,000,916 | -H-- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
[2011/12/17 18:35:47 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s >
"Debug" =
"Kmode" = %SystemRoot%\system32\win32k.sys -- [2010/05/02 10:25:59 | 001,850,752 | -H-- | M] (Microsoft Corporation)
"Optional" = Posix [binary data]
"Posix" = %SystemRoot%\system32\psxss.exe
"Required" = DebugWindows [binary data]
"Windows" = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\CSRSS]
"CsrSrvSharedSectionBase" = 2137980928

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe:SummaryInformation

< End of report >

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:23 PM

Posted 19 December 2011 - 09:47 AM

Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Please download and run Unhide by Grinler.

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present

    :Files
    C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj
    C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBj
    C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBjr
    C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj.exe
    C:\WINDOWS\tasks\1-Click Maintenance.job

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.


I see you ran Combofix. Had any issue running this application?

Please run another OTL scan and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 goldenrose

goldenrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 19 December 2011 - 09:32 PM

I ran the MGADiag but the "copy" part didn't work. I couldn't find any way to copy it so I'm typing what was writen in it:
Validation info:
Validation status: Genuine (Written in green)
Validation code: 0
Product Key: *****_*****-TMYYF-W77VV-PR8HD
Product Key Hash: 6P/3GBdawtgYU7uMaxDLangnDQ0Q=
Product ID: 55669-640-1418214-23075
Product ID Type: 1 - Volume
Windows OS Version: 5.1.2600.2.00010100.2.0 pro
ID: {8FBCB0D8-6C28-4ADD-93C7-CE9918785405}.(1) (The dot is orriginally written higher, in the middle of the line)
Administrator: Yes
TestCab: 0x0
LegitcheckControl: Registrd, 1.5.512.0
Signed By: Microsoft
Product Name: N/A
Architecture & Build: N/A N/A
Tss Error: N/A
Validation Diagnostic: 025D1FF3-230-1

Resolution Status: N/A (This line is faded)

I don't know if it means anything, but after copying it all I recalled I forgot to run Rkill after restart, so I ran Rkill and then the MGADiag again and had the same report aprt from the ID part which now has (3) at the end instead of (1).

I didn't understand the question "had any issues running combofix" (I didn't understand the expression). I related to my ComboFix experience in my original post, section 4.
I'm sending this because I'm afraid to loose the information, and then continue with the rest.
Thank you very much!

#6 goldenrose

goldenrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 19 December 2011 - 09:48 PM

I ran Unhide. It unhid my files only partially - I can see in the start menu "microsoft office tools", for instance, but when I click on it it is written "empty".
I ran OTL. The computer did not restart. This is the report I recieved:

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Recovery\ deleted successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj moved successfully.
C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBj moved successfully.
C:\Documents and Settings\All Users\Application Data\~RApWFpOei8hwBjr moved successfully.
C:\Documents and Settings\All Users\Application Data\RApWFpOei8hwBj.exe moved successfully.
C:\WINDOWS\tasks\1-Click Maintenance.job moved successfully.

OTL by OldTimer - Version 3.2.31.0 log created on 12202011_044311


I'm not sure where it is saved so I'm sending it and going to run another OTL scan.
Thank you again!

#7 goldenrose

goldenrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 19 December 2011 - 10:29 PM

After restarting the computer (after running OTL (Run Fix)), I ran OTL again. This is the report:
OTL logfile created on: 20/12/2011 04:59:19 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\שולחן העבודה
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

223.48 Mb Total Physical Memory | 12.46 Mb Available Physical Memory | 5.58% Memory free
546.51 Mb Paging File | 159.39 Mb Available in Paging File | 29.17% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 55.73 Gb Free Space | 74.78% Space Free | Partition Type: NTFS
Drive E: | 256.48 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HOME-YLPK6ATUHR | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/19 05:52:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
PRC - [2007/06/13 15:21:34 | 001,201,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlusHelper) getPlus®
SRV - [2011/06/26 08:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\123\pev.3XE -- (PEVSystemStart)
SRV - [2008/08/18 13:30:58 | 000,019,200 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2008/08/18 13:25:10 | 000,468,224 | ---- | M] (ESET) [Auto | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/05/16 09:41:18 | 000,029,704 | ---- | M] (TuneUp Software GmbH) [Auto | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2004/02/26 09:52:00 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2002/03/15 22:37:46 | 000,081,920 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/01/09 21:03:06 | 000,018,304 | R--- | M] (BCPC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\memoqdrv.sys -- (MEMOQDRV)
DRV - [2008/08/18 13:27:42 | 000,034,312 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2008/08/18 13:19:26 | 000,053,256 | ---- | M] (ESET) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2008/08/18 13:18:26 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2006/05/10 07:46:44 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2005/09/18 18:46:40 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/07/02 04:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/06/16 05:05:40 | 000,369,920 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
DRV - [2003/05/27 16:45:06 | 000,003,351 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vsp.sys -- (Vsp)
DRV - [2003/04/21 07:54:20 | 000,166,784 | R--- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2001/10/18 12:00:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2001/09/18 17:31:18 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://il.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = he
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3E 1C F0 42 CE BC CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



O1 HOSTS File: ([2001/09/19 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (AGFormHelperObj Class) - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\Program Files\agat\AGForm\AGFormsHelper.dll (Agat)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AGForms) - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll (Agat)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127058793585 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588 (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9E3DCF64-36B7-42F9-A413-6E8E2F74B534}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/18 16:31:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2000/05/16 13:54:06 | 000,094,208 | R--- | M] (Humongous Entertainment) - E:\AUTOPUTT.EXE -- [ CDFS ]
O32 - AutoRun File - [2002/05/28 18:15:56 | 000,000,381 | R--- | M] () - E:\autoputt.inf -- [ CDFS ]
O32 - AutoRun File - [2002/06/08 13:08:56 | 000,084,806 | R--- | M] () - E:\autoputt.pcx -- [ CDFS ]
O32 - AutoRun File - [2000/02/22 19:09:18 | 000,000,051 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/20 04:43:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/20 03:59:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2011/12/20 03:57:24 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\שולחן העבודה\MGADiag.exe
[2011/12/19 05:52:34 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
[2011/12/17 22:28:48 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
[2011/12/17 22:26:25 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe
[2011/12/17 22:25:21 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\userinit.exe
[2011/12/17 22:23:01 | 009,851,496 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe.exe
[2011/12/17 20:41:50 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/12/17 20:34:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/17 20:34:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/17 20:34:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/17 20:34:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/12/17 20:32:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/17 20:32:52 | 000,000,000 | --SD | C] -- C:\123
[2011/12/17 20:08:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\כלי ניהול
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2011/12/17 20:08:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2011/12/17 20:06:49 | 004,341,982 | R--- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.exe
[2011/12/17 19:59:59 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\hadastupid.com
[2011/12/17 19:53:52 | 004,341,982 | ---- | C] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\combofix.exe
[2011/12/17 19:28:46 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\stupid.exe
[2011/12/17 17:44:45 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\iexplore.com.exe
[2011/12/17 17:31:40 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe
[2011/12/17 17:00:51 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/12/17 16:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2011/12/17 16:59:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2011/12/17 16:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2011/12/17 16:59:20 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2011/12/17 16:59:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Application Data
[2011/12/17 16:59:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/12/17 16:59:20 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2011/12/17 16:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2011/12/17 16:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\NetHood
[2011/12/17 16:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2011/12/17 16:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/12/17 16:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2011/12/17 16:59:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה
[2011/12/17 16:59:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\עזרים
[2011/12/17 16:59:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\הפעלה
[2011/12/17 16:59:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\SendTo
[2011/12/17 16:59:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\שולחן העבודה
[2011/12/17 16:59:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Templates
[2011/12/17 16:59:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/12/17 16:59:05 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/20 04:54:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/20 04:53:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/20 04:50:24 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/12/20 04:50:21 | 000,000,912 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/20 04:33:57 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\unhide.exe
[2011/12/20 03:57:31 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Administrator\שולחן העבודה\MGADiag.exe
[2011/12/19 05:52:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\שולחן העבודה\OTL.exe
[2011/12/17 22:35:26 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\b47h12dm.exe
[2011/12/17 22:28:57 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\dds.scr
[2011/12/17 22:26:25 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe
[2011/12/17 22:25:21 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\userinit.exe
[2011/12/17 22:23:02 | 009,851,496 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\שולחן העבודה\winlogon.exe.exe
[2011/12/17 20:42:08 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/12/17 20:06:49 | 004,341,982 | R--- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.exe
[2011/12/17 19:59:59 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\hadastupid.com
[2011/12/17 19:53:52 | 004,341,982 | ---- | M] (Swearware) -- C:\Documents and Settings\Administrator\שולחן העבודה\combofix.exe
[2011/12/17 19:42:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\WinZip File חדש.zip
[2011/12/17 19:41:53 | 000,000,058 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\Wave Sound חדש.wav
[2011/12/17 18:19:01 | 106,727,056 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\setup_11.0.0.1245.x01_2011_12_17_18_24.exe
[2011/12/17 17:44:45 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\iexplore.com.exe
[2011/12/17 17:43:13 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe
[2011/12/17 17:26:42 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\שולחן העבודה\stupid.exe
[2011/12/17 17:03:20 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Administrator\שולחן העבודה\iExplore.exe
[2011/12/17 16:02:01 | 000,000,916 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/20 04:33:55 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\unhide.exe
[2011/12/17 22:35:17 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\b47h12dm.exe
[2011/12/17 20:42:06 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/12/17 20:41:53 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/12/17 20:34:25 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/17 20:34:25 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/17 20:34:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/17 20:34:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/17 20:34:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/17 19:42:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\WinZip File חדש.zip
[2011/12/17 19:41:53 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\Wave Sound חדש.wav
[2011/12/17 18:18:30 | 106,727,056 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\setup_11.0.0.1245.x01_2011_12_17_18_24.exe
[2011/12/17 17:03:15 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Administrator\שולחן העבודה\iExplore.exe
[2011/12/17 16:59:21 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\סיוע מרחוק.lnk
[2011/12/17 16:59:21 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\תפריט התחלה\תוכניות\Windows Media Player.lnk
[2011/10/28 20:45:22 | 000,061,132 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/28 23:46:32 | 000,000,748 | ---- | C] () -- C:\WINDOWS\LMAAL2DD.ini
[2009/12/22 18:45:56 | 000,000,594 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2008/08/18 13:27:42 | 000,034,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2007/06/24 03:20:47 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/13 21:27:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/21 11:23:17 | 000,000,305 | ---- | C] () -- C:\WINDOWS\qtw.ini
[2006/05/10 08:57:27 | 000,233,525 | ---- | C] () -- C:\WINDOWS\System32\isutil.dll
[2006/05/10 08:57:25 | 000,000,271 | ---- | C] () -- C:\WINDOWS\apptune.ini
[2006/05/10 07:50:44 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2006/05/10 07:50:42 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2006/05/10 07:45:04 | 000,027,875 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2006/05/10 07:45:04 | 000,007,765 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2006/05/10 07:40:58 | 000,552,960 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2006/01/18 18:36:21 | 000,032,768 | ---- | C] () -- C:\WINDOWS\closewnd.exe
[2005/09/18 19:10:22 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/09/18 18:22:36 | 000,000,385 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/18 18:00:36 | 000,205,312 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2005/09/18 18:00:00 | 000,205,312 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2005/09/18 17:51:24 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2005/09/18 17:51:24 | 000,003,351 | ---- | C] () -- C:\WINDOWS\System32\drivers\vsp.sys
[2005/09/18 17:45:55 | 000,004,293 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/09/18 17:45:10 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/09/18 17:44:45 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/09/18 16:33:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/09/18 16:09:03 | 000,022,160 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/04/06 00:48:36 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2002/03/21 15:39:02 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2002/03/20 22:01:06 | 000,006,688 | R--- | C] () -- C:\WINDOWS\System32\Digita.sys
[2002/03/20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportUSB.dll
[2002/03/20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportSerial.dll
[2002/03/20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrDA.dll
[2002/03/20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrCOMM.dll
[2001/09/19 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/09/19 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/09/19 14:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/09/19 14:00:00 | 000,345,584 | ---- | C] () -- C:\WINDOWS\System32\perfh00d.dat
[2001/09/19 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/09/19 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/09/19 14:00:00 | 000,213,474 | ---- | C] () -- C:\WINDOWS\System32\perfi00d.dat
[2001/09/19 14:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/09/19 14:00:00 | 000,067,296 | ---- | C] () -- C:\WINDOWS\System32\perfc00d.dat
[2001/09/19 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/09/19 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd00d.dat
[2001/09/19 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/09/19 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/09/19 14:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/09/19 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Administrator\שולחן העבודה\123.com.exe:SummaryInformation

< End of report >

Attached File  OTL.Txt   49.02KB   0 downloads

Many thanks again!

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:23 PM

Posted 19 December 2011 - 11:12 PM

The malware that hit your computer, hides all files and most folders in your computer, but most important it moves your startup files and folders to a temporary folder.

Unfortunately, when we install programs that perform maintenance jobs, such as removing temp files and folders, those files moved by the malware are deleted and gone forever. Files (Actually links) are no longer hidden, but gone. Lets see if we can salvage some of these later in the thread.

Lets attempt to run Combofix once again. The previous Extras report show ESET installed. Attempt to uninstall ESET for the time being and proceed as follows:

Note: If alerted once again about ESET after being uninstalled, disregard the message and continue.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to MyPoppy as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on MyPoppy.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\MyPoppy.txt" . ( I believe Combofix will also rename the report)
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 goldenrose

goldenrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 20 December 2011 - 03:17 PM

Well, I have bad news and good news. The bad news are I couldn't run the ComboFix even as MyPoppy. The very good news are that I got rid of the malware and restored my computer files. I'm explaining so that others could learn from the process I went through: After "MyPoppy" got stuck, I had to shut-down the computer manually. Then, for the first time since my computer got infected, I let it reboot on regular mode and not on safe mode. Then I discovered that I'm logged in as "user" and not as "administrator". (I must explain: When I logg in my computer I don't select any option, the windows screen just comes up, so when I had to choose between "user" and "administrator" I assumed I'm the administrator). So I rebooted into safe mode and started the whole process (downloading RKIll) uner "user". I couldn't see Rkill on my desktop after downloading it so I ran it through the "run" button on the dialogue box that is left on the screen after installment. This time, running Rkill unhid all my desktop file. I had some problem running TDSSKille, but I finally downloaded a zip version from the Kaspersky forum and it worked. Then I downloaded an ran MBAM successfully.
So - I'm sorry I wasted your time reading unecessary logs, but thank you very very much for all the help. I couldn't have done it withouth you! I'm going now to make a donation (I would love to pay the 85$ System Fix asked for to those who fight them), and buy a Kaspersky program to better protect my computer. It is the first time ever I'm infected with any malware and I'm still amazed at how much waste of time, money and effort is caused by pure maliciousness and inteligence that could have been used for better causes.
Many many thanks again!

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:23 PM

Posted 20 December 2011 - 03:38 PM

Thanks for the feedback. Combofix must also be ran as an administrator. Perhaps that was also the issue.

To remove Combofix, rename the application to uninstall and click on it. That should remove the application.

Be safe. :)

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:23 PM

Posted 11 January 2012 - 10:09 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users