Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected with RootKit.ZeroAccess


  • This topic is locked This topic is locked
52 replies to this topic

#1 BugSniper

BugSniper

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 23 March 2012 - 05:42 AM

Hello.

My computer began "blinking" with black screens. Means my screen turns black for a short time and then back to normal. I don't think I am limited in using my computer right now. I can use my ESET antivirus or restart in safemode without problems. I was also be able to make the dds and GMER logs without noticeable difficulties.

Anyways, for about a year, each time I restart my computer, my ESET antivirus gives me an error when it attemps to auto-start, but about after 20 seconds I am able to launch it normally. I don't think it is relevant to the current virus because this problem began long ago. (I think I will reinstall my antivirus in the future when I will purcahse a new version of the ESET, in order to solve this problem).

Before visiting your site, I launched ComboFix few times and each time I ran it, it tells me I am infected with RootKit.ZeroAccess! and that it has inserted itself into my TCP/IP stack. It asks me to reboot the machine in order to take care of it, but it doesn't solve the problem. I also tried to use older versions of a software called "Unhack me". Still the rootkit is alive and I can't get rid of it.

I will apperciate any help that you can give me, hoping to solve this problem.
Thanks for reading.

Attached Files

  • Attached File  Ark.txt   13.86KB   10 downloads
  • Attached File  dds.txt   8.77KB   10 downloads


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 26 March 2012 - 04:30 AM

Hello BugSniper and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    tdx.sys
    afd.sys
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 26 March 2012 - 02:59 PM

1. Hello ST! thanks for your reply. I'm using Windows XP. And I'm seeing some words in Hebrew, my windows language, in the logs. TDSS Killer has found two objects. I think that the first, a347bus, is a clone drive called Alcohol which I already tried to remove from my computer. And I think that the second, partizan, belongs to the software "Unhack me" which helps me remove other simpler malicious stuff. I have no special questions, I just want it to be totally malware free.

2.

21:31:38.0515 3132 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
21:31:38.0765 3132 ============================================================
21:31:38.0765 3132 Current date / time: 2012/03/26 21:31:38.0765
21:31:38.0765 3132 SystemInfo:
21:31:38.0765 3132
21:31:38.0765 3132 OS Version: 5.1.2600 ServicePack: 3.0
21:31:38.0765 3132 Product type: Workstation
21:31:38.0765 3132 ComputerName: USER-907F5FD299
21:31:38.0765 3132 UserName: user
21:31:38.0765 3132 Windows directory: C:\WINDOWS
21:31:38.0765 3132 System windows directory: C:\WINDOWS
21:31:38.0765 3132 Processor architecture: Intel x86
21:31:38.0765 3132 Number of processors: 2
21:31:38.0765 3132 Page size: 0x1000
21:31:38.0765 3132 Boot type: Normal boot
21:31:38.0765 3132 ============================================================
21:31:41.0500 3132 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:31:41.0515 3132 Drive \Device\Harddisk1\DR1 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:31:41.0515 3132 Drive \Device\Harddisk2\DR2 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:31:41.0515 3132 \Device\Harddisk0\DR0:
21:31:41.0515 3132 MBR used
21:31:41.0515 3132 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
21:31:41.0515 3132 \Device\Harddisk1\DR1:
21:31:41.0515 3132 MBR used
21:31:41.0515 3132 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x575452C2
21:31:41.0515 3132 \Device\Harddisk2\DR2:
21:31:41.0515 3132 MBR used
21:31:41.0515 3132 \Device\Harddisk2\DR2\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
21:31:41.0671 3132 Initialize success
21:31:41.0671 3132 ============================================================
21:33:15.0468 3500 ============================================================
21:33:15.0468 3500 Scan started
21:33:15.0468 3500 Mode: Manual; SigCheck; TDLFS;
21:33:15.0468 3500 ============================================================
21:33:15.0968 3500 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
21:33:17.0171 3500 a347bus ( UnsignedFile.Multi.Generic ) - warning
21:33:17.0171 3500 a347bus - detected UnsignedFile.Multi.Generic (1)
21:33:17.0421 3500 Abiosdsk - ok
21:33:17.0609 3500 abp480n5 - ok
21:33:17.0890 3500 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:33:20.0187 3500 ACPI - ok
21:33:20.0468 3500 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:33:20.0578 3500 ACPIEC - ok
21:33:20.0765 3500 adpu160m - ok
21:33:21.0000 3500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:33:21.0125 3500 aec - ok
21:33:21.0375 3500 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:33:21.0406 3500 AFD - ok
21:33:21.0593 3500 Aha154x - ok
21:33:21.0781 3500 aic78u2 - ok
21:33:21.0968 3500 aic78xx - ok
21:33:22.0171 3500 Alerter (66bba71d7a3590de33fe211ccfcca10c) C:\WINDOWS\system32\alrsvc.dll
21:33:22.0328 3500 Alerter - ok
21:33:22.0515 3500 ALG (20923ff57f894ce9217c683a7efcbe77) C:\WINDOWS\System32\alg.exe
21:33:22.0578 3500 ALG - ok
21:33:22.0765 3500 AliIde - ok
21:33:22.0937 3500 amsint - ok
21:33:23.0171 3500 AppMgmt (a92e8b7eba548071d4cfa38e363e367f) C:\WINDOWS\System32\appmgmts.dll
21:33:23.0218 3500 AppMgmt - ok
21:33:23.0453 3500 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:33:23.0546 3500 Arp1394 - ok
21:33:23.0734 3500 asc - ok
21:33:23.0906 3500 asc3350p - ok
21:33:24.0093 3500 asc3550 - ok
21:33:24.0296 3500 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
21:33:24.0406 3500 aspnet_state - ok
21:33:24.0640 3500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:33:24.0734 3500 AsyncMac - ok
21:33:24.0968 3500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:33:25.0062 3500 atapi - ok
21:33:25.0234 3500 Atdisk - ok
21:33:25.0515 3500 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
21:33:25.0562 3500 atksgt - ok
21:33:25.0781 3500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:33:25.0890 3500 Atmarpc - ok
21:33:26.0109 3500 AudioSrv (c7ab88ba43def89bd353811169ab4fe3) C:\WINDOWS\System32\audiosrv.dll
21:33:26.0187 3500 AudioSrv - ok
21:33:26.0421 3500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:33:26.0515 3500 audstub - ok
21:33:26.0750 3500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:33:26.0828 3500 Beep - ok
21:33:27.0156 3500 BITS (e8367773660b9bea240a124c1d7f3484) C:\WINDOWS\system32\qmgr.dll
21:33:27.0406 3500 BITS - ok
21:33:27.0625 3500 Browser (af0b00e0550c266cb1fb797c280350b0) C:\WINDOWS\System32\browser.dll
21:33:27.0703 3500 Browser - ok
21:33:27.0781 3500 catchme - ok
21:33:28.0015 3500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:33:28.0109 3500 cbidf2k - ok
21:33:28.0312 3500 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:33:28.0406 3500 CCDECODE - ok
21:33:28.0593 3500 cd20xrnt - ok
21:33:28.0828 3500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:33:28.0921 3500 Cdaudio - ok
21:33:29.0156 3500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:33:29.0234 3500 Cdfs - ok
21:33:29.0437 3500 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:33:29.0546 3500 Cdrom - ok
21:33:29.0718 3500 Changer - ok
21:33:29.0937 3500 CiSvc (bdf639bee30f63e13202cc502e6b2c8a) C:\WINDOWS\system32\cisvc.exe
21:33:30.0031 3500 CiSvc - ok
21:33:30.0234 3500 ClipSrv (70eeea0b82b162d20c38d80869284a5a) C:\WINDOWS\system32\clipsrv.exe
21:33:30.0312 3500 ClipSrv - ok
21:33:30.0500 3500 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:33:30.0515 3500 clr_optimization_v2.0.50727_32 - ok
21:33:30.0718 3500 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:33:30.0859 3500 clr_optimization_v4.0.30319_32 - ok
21:33:31.0109 3500 CmdIde - ok
21:33:31.0281 3500 COMSysApp - ok
21:33:31.0453 3500 Cpqarray - ok
21:33:31.0671 3500 CryptSvc (ef329f898fe62ab647f62a94ea89964e) C:\WINDOWS\System32\cryptsvc.dll
21:33:31.0765 3500 CryptSvc - ok
21:33:31.0953 3500 dac2w2k - ok
21:33:32.0125 3500 dac960nt - ok
21:33:32.0421 3500 DcomLaunch (f283f02f93266f3f8f61f0cde2f1cb20) C:\WINDOWS\system32\rpcss.dll
21:33:32.0546 3500 DcomLaunch - ok
21:33:32.0781 3500 Dhcp (9b1aba1f15f97afaad54597b8801c3c5) C:\WINDOWS\System32\dhcpcsvc.dll
21:33:32.0875 3500 Dhcp - ok
21:33:33.0109 3500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:33:33.0218 3500 Disk - ok
21:33:33.0375 3500 dmadmin - ok
21:33:33.0765 3500 dmboot (759a1336055e6b614b2462d0f45d6278) C:\WINDOWS\system32\drivers\dmboot.sys
21:33:34.0203 3500 dmboot - ok
21:33:34.0421 3500 dmio (8ca1a6932d84b2c23d5d488d23d3b01d) C:\WINDOWS\system32\drivers\dmio.sys
21:33:34.0546 3500 dmio - ok
21:33:34.0734 3500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:33:34.0828 3500 dmload - ok
21:33:35.0046 3500 dmserver (5583a600ab718485e91b0a503157141e) C:\WINDOWS\System32\dmserver.dll
21:33:35.0125 3500 dmserver - ok
21:33:35.0359 3500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:33:35.0453 3500 DMusic - ok
21:33:35.0703 3500 Dnscache (515c0419254d9c037aa967fc5ab429d5) C:\WINDOWS\System32\dnsrslvr.dll
21:33:35.0843 3500 Dnscache - ok
21:33:36.0078 3500 Dot3svc (cfbdaa2546e9e828b370014191311cdb) C:\WINDOWS\System32\dot3svc.dll
21:33:36.0187 3500 Dot3svc - ok
21:33:36.0375 3500 dpti2o - ok
21:33:36.0578 3500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:33:36.0687 3500 drmkaud - ok
21:33:36.0968 3500 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
21:33:37.0000 3500 e1express - ok
21:33:37.0328 3500 eamon (e31464ce787e3a0ffea55baa591897f0) C:\WINDOWS\system32\DRIVERS\eamon.sys
21:33:37.0359 3500 eamon - ok
21:33:37.0562 3500 EapHost (19898ff0d88eecccdf56f2f49557e457) C:\WINDOWS\System32\eapsvc.dll
21:33:37.0640 3500 EapHost - ok
21:33:37.0859 3500 ehdrv (2c95a7a87e4272c1fff9baf579677db3) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
21:33:37.0890 3500 ehdrv - ok
21:33:37.0968 3500 EhttpSrv (5e245b6c66122614000addfcd41cedce) C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
21:33:37.0968 3500 EhttpSrv - ok
21:33:38.0171 3500 ekrn (a5f63285c1b6c4b396d9ace0dffc88ef) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
21:33:38.0328 3500 ekrn - ok
21:33:38.0562 3500 epfwtdir (4699a50183b792d994be657c68f18e9e) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
21:33:38.0609 3500 epfwtdir - ok
21:33:38.0828 3500 ERSvc (cd69db1378ebca466a06ff63fe611165) C:\WINDOWS\System32\ersvc.dll
21:33:38.0921 3500 ERSvc - ok
21:33:39.0171 3500 Eventlog (d45a62d065043db325a301abd88ecc95) C:\WINDOWS\system32\services.exe
21:33:39.0203 3500 Eventlog - ok
21:33:39.0484 3500 EventSystem (51baccdddfc6d6c6df18c6a1c23e3d36) C:\WINDOWS\system32\es.dll
21:33:39.0531 3500 EventSystem - ok
21:33:39.0781 3500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:33:39.0875 3500 Fastfat - ok
21:33:40.0109 3500 FastUserSwitchingCompatibility (da5deab0aa202eebc14bddecb39f624b) C:\WINDOWS\System32\shsvcs.dll
21:33:40.0156 3500 FastUserSwitchingCompatibility - ok
21:33:40.0375 3500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:33:40.0484 3500 Fdc - ok
21:33:40.0734 3500 Fips (11bb3067883475f2ecbb77c01181e2d5) C:\WINDOWS\system32\drivers\Fips.sys
21:33:40.0812 3500 Fips - ok
21:33:41.0015 3500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:33:41.0140 3500 Flpydisk - ok
21:33:41.0406 3500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:33:41.0515 3500 FltMgr - ok
21:33:41.0687 3500 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:33:41.0703 3500 FontCache3.0.0.0 - ok
21:33:41.0890 3500 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:33:41.0968 3500 Fs_Rec - ok
21:33:42.0218 3500 Ftdisk (edf3126968525a17de8b382aec99cdcc) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:33:42.0343 3500 Ftdisk - ok
21:33:42.0593 3500 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:33:42.0687 3500 Gpc - ok
21:33:42.0796 3500 gusvc - ok
21:33:43.0046 3500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:33:43.0140 3500 HDAudBus - ok
21:33:43.0359 3500 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys
21:33:43.0406 3500 HECI - ok
21:33:43.0546 3500 helpsvc (f0c533d0a00c4291b324d3e5edd7ba3b) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:33:43.0625 3500 helpsvc - ok
21:33:43.0859 3500 HidServ (405858a5e86d7c4a554605f571640062) C:\WINDOWS\System32\hidserv.dll
21:33:43.0937 3500 HidServ - ok
21:33:44.0156 3500 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:33:44.0250 3500 hidusb - ok
21:33:44.0484 3500 hkmsvc (94c17f4c36a06945cc245c8392d060ea) C:\WINDOWS\System32\kmsvc.dll
21:33:44.0562 3500 hkmsvc - ok
21:33:44.0750 3500 hpn - ok
21:33:45.0031 3500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:33:45.0109 3500 HTTP - ok
21:33:45.0296 3500 HTTPFilter (f53c9ed88a7496c96a54f84ed5ed1b64) C:\WINDOWS\System32\w3ssl.dll
21:33:45.0421 3500 HTTPFilter - ok
21:33:45.0609 3500 i2omgmt - ok
21:33:45.0812 3500 i2omp - ok
21:33:46.0031 3500 i8042prt (97eef4179f7ec9138254c944bb0e1ef8) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:33:46.0156 3500 i8042prt - ok
21:33:46.0546 3500 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:33:46.0953 3500 idsvc - ok
21:33:47.0171 3500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:33:47.0281 3500 Imapi - ok
21:33:47.0546 3500 ImapiService (af6fe1ea2c9c4aded73dfbce677b0880) C:\WINDOWS\system32\imapi.exe
21:33:47.0625 3500 ImapiService - ok
21:33:47.0812 3500 ini910u - ok
21:33:49.0109 3500 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:33:50.0281 3500 IntcAzAudAddService - ok
21:33:50.0468 3500 IntelIde - ok
21:33:50.0671 3500 intelppm (f2fcd248738a7f5fb2857341832591a6) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:33:50.0750 3500 intelppm - ok
21:33:50.0984 3500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:33:51.0125 3500 Ip6Fw - ok
21:33:51.0375 3500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:33:51.0484 3500 IpFilterDriver - ok
21:33:51.0671 3500 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:33:51.0765 3500 IpInIp - ok
21:33:52.0000 3500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:33:52.0109 3500 IpNat - ok
21:33:52.0390 3500 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:33:52.0500 3500 IPSec - ok
21:33:52.0703 3500 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:33:52.0765 3500 IRENUM - ok
21:33:52.0968 3500 isapnp (e058a0e262c184f4d47a7677291ac81e) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:33:53.0078 3500 isapnp - ok
21:33:53.0250 3500 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
21:33:53.0250 3500 JavaQuickStarterService - ok
21:33:53.0484 3500 Kbdclass (e05fd8a6f54f4fd6f628b48c0ccee2a4) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:33:53.0593 3500 Kbdclass - ok
21:33:53.0796 3500 kbdhid (9c5f0cb2a0fd3180ab17b5d3566f5033) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:33:53.0890 3500 kbdhid - ok
21:33:54.0156 3500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:33:54.0234 3500 kmixer - ok
21:33:54.0453 3500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:33:54.0562 3500 KSecDD - ok
21:33:54.0796 3500 lanmanserver (611865d1aee0e9bf7af0f8b3f005e3f3) C:\WINDOWS\System32\srvsvc.dll
21:33:54.0812 3500 lanmanserver - ok
21:33:55.0031 3500 lanmanworkstation (a8cd80347977c24cb09000d465d415ae) C:\WINDOWS\System32\wkssvc.dll
21:33:55.0062 3500 lanmanworkstation - ok
21:33:55.0265 3500 lbrtfdc - ok
21:33:55.0515 3500 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
21:33:55.0531 3500 lirsgt - ok
21:33:55.0765 3500 LmHosts (b04f7b1f2e84d8c58250600a7f2426de) C:\WINDOWS\System32\lmhsvc.dll
21:33:55.0859 3500 LmHosts - ok
21:33:56.0046 3500 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
21:33:56.0140 3500 MDM - ok
21:33:56.0359 3500 Messenger (51a8673170676956eb445503af5e6f39) C:\WINDOWS\System32\msgsvc.dll
21:33:56.0453 3500 Messenger - ok
21:33:56.0687 3500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:33:56.0781 3500 mnmdd - ok
21:33:57.0000 3500 mnmsrvc (524357459b21a4acb6f192f9c2c6a5bf) C:\WINDOWS\system32\mnmsrvc.exe
21:33:57.0078 3500 mnmsrvc - ok
21:33:57.0281 3500 Modem (c8088f5ceae5784a8b4addd9355ef247) C:\WINDOWS\system32\drivers\Modem.sys
21:33:57.0359 3500 Modem - ok
21:33:57.0593 3500 Mouclass (57c0574c8b9a26092ec301f88861919c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:33:57.0703 3500 Mouclass - ok
21:33:57.0906 3500 mouhid (67d4fcccf487a1d4277ab31151e33d42) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:33:57.0984 3500 mouhid - ok
21:33:58.0250 3500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:33:58.0359 3500 MountMgr - ok
21:33:58.0562 3500 mraid35x - ok
21:33:58.0812 3500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:33:58.0937 3500 MRxDAV - ok
21:33:59.0281 3500 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:33:59.0515 3500 MRxSmb - ok
21:33:59.0671 3500 MSCamSvc (d98350792a7ce82e7459a7c36481beda) C:\Program Files\Microsoft LifeCam\MSCamS32.exe
21:33:59.0671 3500 MSCamSvc - ok
21:33:59.0921 3500 MSDTC (d39eabf2d29fb80dd1f477f358218e5d) C:\WINDOWS\system32\msdtc.exe
21:34:00.0000 3500 MSDTC - ok
21:34:00.0234 3500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:34:00.0312 3500 Msfs - ok
21:34:00.0562 3500 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\WINDOWS\system32\Drivers\nx6000.sys
21:34:00.0593 3500 MSHUSBVideo - ok
21:34:00.0765 3500 MSIServer - ok
21:34:00.0984 3500 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:34:01.0093 3500 MSKSSRV - ok
21:34:01.0343 3500 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:34:01.0453 3500 MSPCLOCK - ok
21:34:01.0640 3500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:34:01.0734 3500 MSPQM - ok
21:34:01.0937 3500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:34:02.0015 3500 mssmbios - ok
21:34:02.0218 3500 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:34:02.0312 3500 MSTEE - ok
21:34:02.0562 3500 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:34:02.0578 3500 Mup - ok
21:34:02.0796 3500 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:34:02.0906 3500 NABTSFEC - ok
21:34:03.0187 3500 napagent (92ff1a7cf55ebf74d389aa6efdc122fa) C:\WINDOWS\System32\qagentrt.dll
21:34:03.0281 3500 napagent - ok
21:34:03.0546 3500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:34:03.0640 3500 NDIS - ok
21:34:03.0875 3500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:34:03.0968 3500 NdisIP - ok
21:34:04.0171 3500 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:34:04.0265 3500 NdisTapi - ok
21:34:04.0468 3500 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:34:04.0562 3500 Ndisuio - ok
21:34:04.0781 3500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:34:04.0906 3500 NdisWan - ok
21:34:05.0125 3500 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:34:05.0156 3500 NDProxy - ok
21:34:05.0390 3500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:34:05.0500 3500 NetBIOS - ok
21:34:05.0734 3500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:34:05.0859 3500 NetBT - ok
21:34:06.0109 3500 NetDDE (d649ff470800bd2a34c6aac051514211) C:\WINDOWS\system32\netdde.exe
21:34:06.0218 3500 NetDDE - ok
21:34:06.0250 3500 NetDDEdsdm (d649ff470800bd2a34c6aac051514211) C:\WINDOWS\system32\netdde.exe
21:34:06.0312 3500 NetDDEdsdm - ok
21:34:06.0500 3500 Netlogon (673640e09dd7b7125ed82210b7dc311a) C:\WINDOWS\system32\lsass.exe
21:34:06.0578 3500 Netlogon - ok
21:34:06.0843 3500 Netman (0bfa2a7d8200f5638ab8091fe12f54d6) C:\WINDOWS\System32\netman.dll
21:34:06.0921 3500 Netman - ok
21:34:07.0171 3500 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
21:34:07.0281 3500 NetTcpPortSharing - ok
21:34:07.0531 3500 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:34:07.0625 3500 NIC1394 - ok
21:34:07.0890 3500 Nla (6ae8ff2bc640943df7897f5734c04f27) C:\WINDOWS\System32\mswsock.dll
21:34:07.0906 3500 Nla - ok
21:34:08.0125 3500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:34:08.0203 3500 Npfs - ok
21:34:08.0515 3500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:34:08.0812 3500 Ntfs - ok
21:34:09.0031 3500 NtLmSsp (673640e09dd7b7125ed82210b7dc311a) C:\WINDOWS\system32\lsass.exe
21:34:09.0109 3500 NtLmSsp - ok
21:34:09.0453 3500 NtmsSvc (98fe9c7f4e219606ac0171e0a3477ddf) C:\WINDOWS\system32\ntmssvc.dll
21:34:09.0625 3500 NtmsSvc - ok
21:34:09.0859 3500 NuidFltr (20623a75f3c6c1076ebba64dd8c4bc02) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
21:34:09.0984 3500 NuidFltr - ok
21:34:10.0187 3500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:34:10.0281 3500 Null - ok
21:34:12.0921 3500 nv (18c9b152da7bea76b2f9e4b6412e0aaf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:34:17.0843 3500 nv - ok
21:34:18.0156 3500 NVHDA (ecfabe2e13917c84a49026b2617e118f) C:\WINDOWS\system32\drivers\nvhda32.sys
21:34:18.0187 3500 NVHDA - ok
21:34:18.0421 3500 nvsvc (a8c1e6ff53fb0628a302843ea5fa5ab6) C:\WINDOWS\system32\nvsvc32.exe
21:34:18.0437 3500 nvsvc - ok
21:34:18.0671 3500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:34:18.0765 3500 NwlnkFlt - ok
21:34:18.0968 3500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:34:19.0078 3500 NwlnkFwd - ok
21:34:19.0312 3500 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
21:34:19.0437 3500 NwlnkIpx - ok
21:34:19.0640 3500 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
21:34:19.0781 3500 NwlnkNb - ok
21:34:19.0984 3500 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
21:34:20.0093 3500 NwlnkSpx - ok
21:34:20.0343 3500 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:34:20.0421 3500 ohci1394 - ok
21:34:20.0562 3500 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:34:20.0578 3500 ose - ok
21:34:20.0859 3500 ovt519 (4cdadec3dc1300ee1d313ea5494e6472) C:\WINDOWS\system32\Drivers\ov519vid.sys
21:34:20.0937 3500 ovt519 - ok
21:34:21.0187 3500 Parport (bd549622b39da6ef5ba31cb01b2179d3) C:\WINDOWS\system32\drivers\Parport.sys
21:34:21.0265 3500 Parport - ok
21:34:21.0500 3500 Partizan (2a3a0696a4d9011165fbd7b9de0112a7) C:\WINDOWS\system32\drivers\Partizan.sys
21:34:21.0546 3500 Partizan ( UnsignedFile.Multi.Generic ) - warning
21:34:21.0546 3500 Partizan - detected UnsignedFile.Multi.Generic (1)
21:34:21.0750 3500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:34:21.0828 3500 PartMgr - ok
21:34:22.0031 3500 ParVdm (ad8f8e81709e222076678a501bd6d1e1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:34:22.0125 3500 ParVdm - ok
21:34:22.0328 3500 PCI (40f8158057494d56d22038e4536c5395) C:\WINDOWS\system32\DRIVERS\pci.sys
21:34:22.0437 3500 PCI - ok
21:34:22.0609 3500 PCIDump - ok
21:34:22.0796 3500 PCIIde (6683c158d30ded5dbfd5733ce066be9a) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:34:22.0890 3500 PCIIde - ok
21:34:23.0125 3500 Pcmcia (5f8c49e11d221e6a9c7f016758bd9c92) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:34:23.0187 3500 Pcmcia - ok
21:34:23.0375 3500 PDCOMP - ok
21:34:23.0562 3500 PDFRAME - ok
21:34:23.0750 3500 PDRELI - ok
21:34:23.0921 3500 PDRFRAME - ok
21:34:24.0109 3500 perc2 - ok
21:34:24.0296 3500 perc2hib - ok
21:34:24.0562 3500 PlugPlay (d45a62d065043db325a301abd88ecc95) C:\WINDOWS\system32\services.exe
21:34:24.0593 3500 PlugPlay - ok
21:34:24.0812 3500 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
21:34:24.0828 3500 Point32 - ok
21:34:25.0046 3500 PolicyAgent (673640e09dd7b7125ed82210b7dc311a) C:\WINDOWS\system32\lsass.exe
21:34:25.0125 3500 PolicyAgent - ok
21:34:25.0328 3500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:34:25.0421 3500 PptpMiniport - ok
21:34:25.0609 3500 ProtectedStorage (673640e09dd7b7125ed82210b7dc311a) C:\WINDOWS\system32\lsass.exe
21:34:25.0671 3500 ProtectedStorage - ok
21:34:25.0906 3500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:34:26.0046 3500 PSched - ok
21:34:26.0281 3500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:34:26.0375 3500 Ptilink - ok
21:34:26.0609 3500 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:34:26.0640 3500 PxHelp20 - ok
21:34:26.0828 3500 ql1080 - ok
21:34:27.0000 3500 Ql10wnt - ok
21:34:27.0187 3500 ql12160 - ok
21:34:27.0375 3500 ql1240 - ok
21:34:27.0562 3500 ql1280 - ok
21:34:27.0765 3500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:34:27.0859 3500 RasAcd - ok
21:34:28.0062 3500 RasAuto (ee0ff070c9be8ce69a0c427b2a998151) C:\WINDOWS\System32\rasauto.dll
21:34:28.0156 3500 RasAuto - ok
21:34:28.0359 3500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:34:28.0484 3500 Rasl2tp - ok
21:34:28.0734 3500 RasMan (770f255aea316cbc06f2a5f10c1d3e19) C:\WINDOWS\System32\rasmans.dll
21:34:28.0812 3500 RasMan - ok
21:34:29.0015 3500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:34:29.0109 3500 RasPppoe - ok
21:34:29.0296 3500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:34:29.0421 3500 Raspti - ok
21:34:29.0687 3500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:34:29.0859 3500 Rdbss - ok
21:34:30.0078 3500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:34:30.0156 3500 RDPCDD - ok
21:34:30.0390 3500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:34:30.0531 3500 rdpdr - ok
21:34:30.0781 3500 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
21:34:30.0875 3500 RDPWD - ok
21:34:31.0109 3500 RDSessMgr (eea3eb65c6cc7b1932cd1326dd77cf32) C:\WINDOWS\system32\sessmgr.exe
21:34:31.0203 3500 RDSessMgr - ok
21:34:31.0437 3500 redbook (62d088cfdf90670dc22cdf236424e9ab) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:34:31.0546 3500 redbook - ok
21:34:31.0781 3500 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
21:34:31.0781 3500 RegGuard - ok
21:34:32.0000 3500 RemoteAccess (2b0854e8aacf8c70cc288d0a06ffac39) C:\WINDOWS\System32\mprdim.dll
21:34:32.0093 3500 RemoteAccess - ok
21:34:32.0281 3500 RemoteRegistry (6f2eb2735d6bb1157223a825d3cd073c) C:\WINDOWS\system32\regsvc.dll
21:34:32.0359 3500 RemoteRegistry - ok
21:34:32.0515 3500 RichVideo (f12a68ed55053940cadd59ca5e3468dd) C:\Program Files\Cyberlink\Shared files\RichVideo.exe
21:34:32.0531 3500 RichVideo - ok
21:34:32.0734 3500 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
21:34:32.0828 3500 ROOTMODEM - ok
21:34:33.0046 3500 RpcLocator (2815ac43f71870138432be578d1651b2) C:\WINDOWS\system32\locator.exe
21:34:33.0109 3500 RpcLocator - ok
21:34:33.0406 3500 RpcSs (f283f02f93266f3f8f61f0cde2f1cb20) C:\WINDOWS\System32\rpcss.dll
21:34:33.0515 3500 RpcSs - ok
21:34:33.0734 3500 RSVP (a34a16450b67db5faef942e7ed39363f) C:\WINDOWS\system32\rsvp.exe
21:34:33.0796 3500 RSVP - ok
21:34:34.0031 3500 SamSs (673640e09dd7b7125ed82210b7dc311a) C:\WINDOWS\system32\lsass.exe
21:34:34.0109 3500 SamSs - ok
21:34:34.0375 3500 SCardSvr (3e3df8db36a4be490dece480292ea21d) C:\WINDOWS\System32\SCardSvr.exe
21:34:34.0437 3500 SCardSvr - ok
21:34:34.0656 3500 Schedule (af4a0671d5d99c1fec74e6da7a3e8126) C:\WINDOWS\system32\schedsvc.dll
21:34:34.0750 3500 Schedule - ok
21:34:34.0953 3500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:34:35.0015 3500 Secdrv - ok
21:34:35.0218 3500 seclogon (4e0528fd3da357df77a8f2bbb20e64ae) C:\WINDOWS\System32\seclogon.dll
21:34:35.0296 3500 seclogon - ok
21:34:35.0500 3500 SENS (744e4a9dc5693884112a755490836927) C:\WINDOWS\system32\sens.dll
21:34:35.0578 3500 SENS - ok
21:34:35.0765 3500 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:34:35.0859 3500 serenum - ok
21:34:36.0171 3500 Serial (c4e811de8388c98eb5701a6dd2b14b33) C:\WINDOWS\system32\DRIVERS\serial.sys
21:34:36.0312 3500 Serial - ok
21:34:36.0546 3500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:34:36.0625 3500 Sfloppy - ok
21:34:36.0875 3500 SharedAccess (1837e06ff5d0f553c883a4be6162d967) C:\WINDOWS\System32\ipnathlp.dll
21:34:37.0031 3500 SharedAccess - ok
21:34:37.0296 3500 ShellHWDetection (da5deab0aa202eebc14bddecb39f624b) C:\WINDOWS\System32\shsvcs.dll
21:34:37.0312 3500 ShellHWDetection - ok
21:34:37.0500 3500 Simbad - ok
21:34:37.0734 3500 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:34:37.0843 3500 SLIP - ok
21:34:38.0046 3500 Sparrow - ok
21:34:38.0312 3500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:34:38.0406 3500 splitter - ok
21:34:38.0625 3500 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
21:34:38.0671 3500 Spooler - ok
21:34:38.0906 3500 sr (ec70007bab7c42ccd340a068f87873a6) C:\WINDOWS\system32\DRIVERS\sr.sys
21:34:38.0984 3500 sr - ok
21:34:39.0250 3500 srservice (48e4c5d80462811166b4f3a6476f8f8e) C:\WINDOWS\system32\srsvc.dll
21:34:39.0281 3500 srservice - ok
21:34:39.0578 3500 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:34:39.0781 3500 Srv - ok
21:34:39.0984 3500 SSDPSRV (139f0ee0fe18d03c1f5884b5d8985cfd) C:\WINDOWS\System32\ssdpsrv.dll
21:34:40.0046 3500 SSDPSRV - ok
21:34:40.0328 3500 stisvc (43df089c841679a1b79ba10dd2592dda) C:\WINDOWS\system32\wiaservc.dll
21:34:40.0484 3500 stisvc - ok
21:34:40.0718 3500 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:34:40.0812 3500 streamip - ok
21:34:41.0000 3500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:34:41.0109 3500 swenum - ok
21:34:41.0359 3500 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:34:41.0468 3500 swmidi - ok
21:34:41.0656 3500 SwPrv - ok
21:34:41.0828 3500 symc810 - ok
21:34:42.0015 3500 symc8xx - ok
21:34:42.0203 3500 sym_hi - ok
21:34:42.0390 3500 sym_u3 - ok
21:34:42.0609 3500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:34:42.0703 3500 sysaudio - ok
21:34:42.0937 3500 SysmonLog (44cafbf38c82ae81087c360fed78e5c8) C:\WINDOWS\system32\smlogsvc.exe
21:34:43.0031 3500 SysmonLog - ok
21:34:43.0281 3500 TapiSrv (8c7baa64774ed2b018a4b6290e1d3f1c) C:\WINDOWS\System32\tapisrv.dll
21:34:43.0359 3500 TapiSrv - ok
21:34:43.0546 3500 TBPanel - ok
21:34:43.0859 3500 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:34:44.0031 3500 Tcpip - ok
21:34:44.0234 3500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:34:44.0328 3500 TDPIPE - ok
21:34:44.0546 3500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:34:44.0625 3500 TDTCP - ok
21:34:44.0843 3500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:34:44.0968 3500 TermDD - ok
21:34:45.0234 3500 TermService (c112b5b8c597d3b69665ba2caaac2ec2) C:\WINDOWS\System32\termsrv.dll
21:34:45.0328 3500 TermService - ok
21:34:45.0562 3500 Themes (da5deab0aa202eebc14bddecb39f624b) C:\WINDOWS\System32\shsvcs.dll
21:34:45.0562 3500 Themes - ok
21:34:45.0796 3500 TlntSvr (3746c7754f1d1545c78ccc818a6a5b80) C:\WINDOWS\system32\tlntsvr.exe
21:34:45.0859 3500 TlntSvr - ok
21:34:46.0046 3500 TosIde - ok
21:34:46.0265 3500 TrkWks (e5359aba1cb023238a94658f36e2fc73) C:\WINDOWS\system32\trkwks.dll
21:34:46.0343 3500 TrkWks - ok
21:34:46.0421 3500 TuneUp.Defrag (af72467e43b92b0b152f2cbe748eaa39) E:\Nice Programs\TuneUp Utilities 2010\TuneUpDefragService.exe
21:34:46.0500 3500 TuneUp.Defrag - ok
21:34:46.0546 3500 TuneUp.UtilitiesSvc (070fcd2c93791bd6e119b1b460b13a4d) E:\Nice Programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
21:34:46.0765 3500 TuneUp.UtilitiesSvc - ok
21:34:46.0796 3500 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) E:\Nice Programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
21:34:46.0812 3500 TuneUpUtilitiesDrv - ok
21:34:47.0062 3500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:34:47.0156 3500 Udfs - ok
21:34:47.0343 3500 ultra - ok
21:34:47.0656 3500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:34:47.0906 3500 Update - ok
21:34:48.0156 3500 upnphost (adaeb2d4c77cc7b5ea50736cc4406116) C:\WINDOWS\System32\upnphost.dll
21:34:48.0203 3500 upnphost - ok
21:34:48.0406 3500 UPS (2d89cbd093e49c7bd85c561689caffc6) C:\WINDOWS\System32\ups.exe
21:34:48.0484 3500 UPS - ok
21:34:48.0734 3500 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:34:48.0843 3500 usbaudio - ok
21:34:49.0078 3500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:34:49.0187 3500 usbccgp - ok
21:34:49.0406 3500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:34:49.0531 3500 usbehci - ok
21:34:49.0734 3500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:34:49.0859 3500 usbhub - ok
21:34:50.0093 3500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:34:50.0187 3500 usbprint - ok
21:34:50.0406 3500 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:34:50.0515 3500 usbscan - ok
21:34:50.0703 3500 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:34:50.0796 3500 USBSTOR - ok
21:34:50.0984 3500 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:34:51.0078 3500 usbuhci - ok
21:34:51.0390 3500 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:34:51.0484 3500 usbvideo - ok
21:34:51.0734 3500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:34:51.0812 3500 VgaSave - ok
21:34:52.0000 3500 ViaIde - ok
21:34:52.0218 3500 VolSnap (77c942f961eca976ca12b12e36f3505a) C:\WINDOWS\system32\drivers\VolSnap.sys
21:34:52.0296 3500 VolSnap - ok
21:34:52.0593 3500 VSS (2f4e4bd86dd97ff6b9c92fa883e732c5) C:\WINDOWS\System32\vssvc.exe
21:34:52.0640 3500 VSS - ok
21:34:52.0875 3500 W32Time (d9e7e7054a3d90805c527fd84fb5545e) C:\WINDOWS\system32\w32time.dll
21:34:52.0953 3500 W32Time - ok
21:34:53.0171 3500 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:34:53.0281 3500 Wanarp - ok
21:34:53.0609 3500 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:34:53.0828 3500 Wdf01000 - ok
21:34:54.0031 3500 WDICA - ok
21:34:54.0296 3500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:34:54.0406 3500 wdmaud - ok
21:34:54.0640 3500 WebClient (4bebf8cf9433c0fc87667e8b5899ea7b) C:\WINDOWS\System32\webclnt.dll
21:34:54.0718 3500 WebClient - ok
21:34:54.0984 3500 winmgmt (f8a4d63f979d767181f21b360c273ab4) C:\WINDOWS\system32\wbem\WMIsvc.dll
21:34:55.0078 3500 winmgmt - ok
21:34:55.0281 3500 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
21:34:55.0390 3500 WmdmPmSN - ok
21:34:55.0781 3500 Wmi (d6034e535852ebf4b3246f9fa0b99058) C:\WINDOWS\System32\advapi32.dll
21:34:55.0937 3500 Wmi - ok
21:34:56.0218 3500 WmiApSrv (3b0afd6574570759a89bfb593c727f20) C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:34:56.0312 3500 WmiApSrv - ok
21:34:56.0656 3500 WMPNetworkSvc (43b0aeb977439d1639eb95f60029769c) C:\Program Files\Windows Media Player\WMPNetwk.exe
21:34:57.0078 3500 WMPNetworkSvc - ok
21:34:57.0500 3500 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:34:57.0640 3500 WPFFontCache_v0400 - ok
21:34:57.0875 3500 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:34:57.0953 3500 WS2IFSL - ok
21:34:58.0171 3500 wscsvc (e56c0f16541332ec8331c49a36baf88b) C:\WINDOWS\system32\wscsvc.dll
21:34:58.0312 3500 wscsvc - ok
21:34:58.0531 3500 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:34:58.0625 3500 WSTCODEC - ok
21:34:58.0796 3500 wuauserv (134d66b32ef1f498f65cbf1468b75f94) C:\WINDOWS\system32\wuauserv.dll
21:34:58.0890 3500 wuauserv - ok
21:34:59.0171 3500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:34:59.0250 3500 WudfPf - ok
21:34:59.0484 3500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:34:59.0515 3500 WudfRd - ok
21:34:59.0718 3500 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
21:34:59.0781 3500 WudfSvc - ok
21:35:00.0125 3500 WZCSVC (ade5fed2cd7849b4e7b6fcec7c2e67a1) C:\WINDOWS\System32\wzcsvc.dll
21:35:00.0296 3500 WZCSVC - ok
21:35:00.0531 3500 xmlprov (0b5c34edc41b523fb013292fa7f82fd3) C:\WINDOWS\System32\xmlprov.dll
21:35:00.0640 3500 xmlprov - ok
21:35:00.0687 3500 zlportio - ok
21:35:00.0750 3500 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (74ec37b9eaf9fca015b933a526825c7a) E:\Nice Programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl
21:35:00.0765 3500 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} - ok
21:35:00.0796 3500 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:35:01.0078 3500 \Device\Harddisk0\DR0 - ok
21:35:01.0078 3500 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
21:35:01.0140 3500 \Device\Harddisk1\DR1 - ok
21:35:01.0140 3500 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
21:35:01.0343 3500 \Device\Harddisk2\DR2 - ok
21:35:01.0343 3500 Boot (0x1200) (64cfb9009e3d4bb058e05a5266b97bac) \Device\Harddisk0\DR0\Partition0
21:35:01.0343 3500 \Device\Harddisk0\DR0\Partition0 - ok
21:35:01.0359 3500 Boot (0x1200) (737553bef8f647593453af017f3b7a06) \Device\Harddisk1\DR1\Partition0
21:35:01.0359 3500 \Device\Harddisk1\DR1\Partition0 - ok
21:35:01.0359 3500 Boot (0x1200) (82fbf586e44f666bd13e43262c09dc29) \Device\Harddisk2\DR2\Partition0
21:35:01.0359 3500 \Device\Harddisk2\DR2\Partition0 - ok
21:35:01.0359 3500 ============================================================
21:35:01.0359 3500 Scan finished
21:35:01.0359 3500 ============================================================
21:35:01.0468 3704 Detected object count: 2
21:35:01.0468 3704 Actual detected object count: 2
21:35:12.0765 3704 a347bus ( UnsignedFile.Multi.Generic ) - skipped by user
21:35:12.0765 3704 a347bus ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:35:12.0765 3704 Partizan ( UnsignedFile.Multi.Generic ) - skipped by user
21:35:12.0765 3704 Partizan ( UnsignedFile.Multi.Generic ) - User select action: Skip


3.

Farbar Service Scanner Version: 01-03-2012
Ran by user (administrator) on 26-03-2012 at 21:37:21
Running from "E:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-03-02 14:00] - [2008-04-14 04:17] - 0126976 ____A (Microsoft Corporation) 9B1ABA1F15F97AFAAD54597B8801C3C5

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2006-03-02 14:00] - [2009-04-20 19:18] - 0045568 ____A (Microsoft Corporation) 515C0419254D9C037AA967FC5AB429D5

C:\WINDOWS\system32\ipnathlp.dll
[2006-03-02 14:00] - [2008-04-14 04:17] - 0331264 ____A (Microsoft Corporation) 1837E06FF5D0F553C883A4BE6162D967

C:\WINDOWS\system32\netman.dll
[2006-03-02 14:00] - [2008-04-14 04:17] - 0197632 ____A (Microsoft Corporation) 0BFA2A7D8200F5638AB8091FE12F54D6

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-03-11 18:54] - [2008-04-14 04:17] - 0144896 ____A (Microsoft Corporation) F8A4D63F979D767181F21B360C273AB4

C:\WINDOWS\system32\srsvc.dll
[2010-03-11 18:56] - [2008-04-14 04:17] - 0170496 ____A (Microsoft Corporation) 48E4C5D80462811166B4F3A6476F8F8E

C:\WINDOWS\system32\Drivers\sr.sys
[2010-03-11 18:56] - [2008-04-14 04:00] - 0073344 ____A (Microsoft Corporation) EC70007BAB7C42CCD340A068F87873A6

C:\WINDOWS\system32\wscsvc.dll
[2006-03-02 14:00] - [2008-04-14 04:17] - 0080896 ____A (Microsoft Corporation) E56C0F16541332EC8331C49A36BAF88B

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-03-11 18:54] - [2008-04-14 04:17] - 0144896 ____A (Microsoft Corporation) F8A4D63F979D767181F21B360C273AB4

C:\WINDOWS\system32\wuauserv.dll
[2010-03-11 18:56] - [2008-04-14 04:17] - 0006656 ____A (Microsoft Corporation) 134D66B32EF1F498F65CBF1468B75F94

C:\WINDOWS\system32\qmgr.dll
[2010-03-11 18:56] - [2008-04-14 04:17] - 0409088 ____A (Microsoft Corporation) E8367773660B9BEA240A124C1D7F3484

C:\WINDOWS\system32\es.dll
[2006-03-02 14:00] - [2008-07-07 22:29] - 0253952 ____A (Microsoft Corporation) 51BACCDDDFC6D6C6DF18C6A1C23E3D36

C:\WINDOWS\system32\cryptsvc.dll
[2006-03-02 14:00] - [2008-04-14 04:17] - 0062464 ____A (Microsoft Corporation) EF329F898FE62AB647F62A94EA89964E

C:\WINDOWS\system32\svchost.exe
[2006-03-02 14:00] - [2008-04-14 04:17] - 0014336 ____A (Microsoft Corporation) 87BA1595374FC6A8348F9B8A30B9EE22

C:\WINDOWS\system32\rpcss.dll
[2006-03-02 14:00] - [2009-02-09 12:53] - 0401408 ____A (Microsoft Corporation) F283F02F93266F3F8F61F0CDE2F1CB20

C:\WINDOWS\system32\services.exe
[2006-03-02 14:00] - [2009-02-09 13:25] - 0110592 ____A (Microsoft Corporation) D45A62D065043DB325A301ABD88ECC95


Extra List:
=======
epfwtdir(8) Gpc(3) IPSec(5) NetBT(6) NwlnkIpx(9) NwlnkNb(10) PSched(7) Tcpip(4)
0x0A0000000500000001000000020000000300000004000000060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

4.


OTL logfile created on: 26/03/2012 21:39:57 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

1.98 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.43% Memory free
3.83 Gb Paging File | 3.43 Gb Available in Paging File | 89.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 10.79 Gb Free Space | 2.32% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 1.99 Gb Free Space | 0.29% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 2.48 Gb Free Space | 0.83% Space Free | Partition Type: NTFS

Computer Name: USER-907F5FD299 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/26 21:38:17 | 000,593,920 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2012/03/26 21:31:38 | 002,068,016 | ---- | M] (Kaspersky Lab ZAO) -- E:\tdsskiller.exe
PRC - [2009/05/14 15:47:54 | 000,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2008/08/08 07:04:10 | 001,091,768 | ---- | M] (C. Ghisler & Co.) -- C:\Nice Programs\Total Commander\TOTALCMD.EXE
PRC - [2008/04/14 04:17:43 | 001,202,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2010/07/25 16:44:47 | 000,435,008 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- E:\Nice Programs\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/07/06 13:55:16 | 001,051,968 | ---- | M] (TuneUp Software) [Disabled | Stopped] -- E:\Nice Programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/05/20 14:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2009/05/14 15:54:22 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 15:47:54 | 000,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- E:\Games\Ultrastar Deluxe\zlportio.sys -- (zlportio)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\TEMP\catchme.sys -- (catchme)
DRV - [2011/08/04 13:56:50 | 000,030,946 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Partizan.sys -- (Partizan)
DRV - [2011/05/01 18:02:30 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\regguard.sys -- (RegGuard)
DRV - [2010/12/23 07:56:49 | 000,100,456 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2010/05/20 14:27:24 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2010/04/14 19:34:18 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/04/14 19:34:17 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/03/13 11:58:52 | 000,087,536 | ---- | M] (CyberLink Corp.) [2010/07/22 18:57:53] [Kernel | Auto | Stopped] -- E:\Nice Programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2010/02/24 13:41:50 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Stopped] -- E:\Nice Programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/05/14 15:49:32 | 000,094,360 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/05/14 15:47:14 | 000,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 15:41:10 | 000,114,472 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/04/13 20:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/09/17 09:08:44 | 004,402,176 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/03/16 09:11:38 | 000,012,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\TBPANEL.SYS.del -- (TBPanel)
DRV - [2007/03/13 13:05:30 | 000,044,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2006/03/02 14:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2006/03/02 14:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/04/30 09:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\a347bus.sys -- (a347bus)
DRV - [2003/09/25 17:00:00 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = he
IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLJ_en
IE - HKU\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/home?AF=88888&tt=aabctest8057a"
FF - prefs.js..network.proxy.type: 0
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q="
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"


FF - HKLM\Software\MozillaPlugins\@3dvia.com/3DVIAVirtualMachine: C:\Program Files\3DVIA\3DVIAStudioPlayer\bin\win32_dynamic\release_licensed\np3DVIAplayer.dll (© 2011 Dassault Systèmes)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@onlive.com/OnLiveGameClientDetector,version=1.0.0: C:\Program Files\OnLive\Plugin\npolgdet.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/24 13:19:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/03/11 19:20:54 | 000,000,000 | ---D | M]

[2011/08/09 16:05:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012/01/26 12:38:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions
[2012/01/26 12:38:55 | 000,000,000 | ---D | M] (Babylon) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com
[2012/03/15 15:32:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/09 16:24:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/10/04 21:54:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
[2012/03/03 21:31:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/03/03 21:31:31 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/03/19 13:20:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/07/08 09:41:08 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/26 12:38:48 | 000,002,353 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2010/01/01 10:00:00 | 000,001,960 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\morfix-dic.xml
[2010/01/01 10:00:00 | 000,001,008 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-he.xml

========== Chrome ==========

CHR - default_search_provider: Search the web (Babylon) (Enabled)
CHR - default_search_provider: search_url = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
CHR - default_search_provider: suggest_url =
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\12.0.742.122\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\12.0.742.122\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\12.0.742.122\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.5 (861) (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2012/03/22 16:31:24 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Nice Programs\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Nice Programs\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {56CF4856-ECB4-4E46-A897-A378821F97B9} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {56CF4856-ECB4-4E46-A897-A378821F97B9} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKU\S-1-5-21-790525478-1177238915-725345543-1003..\Run: [ESET GUI] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://212.143.197.6/cache/88f60d89961960acc894108aaed60316/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} http://www.tapuz.co.il/irc/main/launcher.cab (LauncherV1 Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} http://player.studio.3dvia.com/3DVIAPlayer-Installer.exe (Dassault Systemes 3DVIA Player Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D100DB7-3344-4546-97C6-4F73CD98F967}: DhcpNameServer = 10.0.0.138
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (דף הבית הנוכחי שלי) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/11 18:58:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (Partizan)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "TuneUp.Defrag"
MsConfig - Services: "RichVideo"
MsConfig - Services: "iPod Service"
MsConfig - Services: "TuneUp.UtilitiesSvc"
MsConfig - Services: "MSCamSvc"
MsConfig - Services: "gusvc"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "Apple Mobile Device"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AdobeARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: BDRegion - hkey= - key= - C:\Program Files\Cyberlink\Shared files\brs.exe (cyberlink)
MsConfig - StartUpReg: brs - hkey= - key= - C:\Program Files\Cyberlink\Shared files\brs.exe (cyberlink)
MsConfig - StartUpReg: dumprep 0 -k - hkey= - key= - File not found
MsConfig - StartUpReg: ESET GUI - hkey= - key= - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: hackmon - hkey= - key= - F:\Nice Programs\UnHackMe\hackmon.exe (Greatis Software)
MsConfig - StartUpReg: HitmanPro35 - hkey= - key= - C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
MsConfig - StartUpReg: LifeCam - hkey= - key= - C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
MsConfig - StartUpReg: LifeExp - hkey= - key= - C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
MsConfig - StartUpReg: MSConfig - hkey= - key= - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: msnmsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PDVD10Serv - hkey= - key= - E:\Nice Programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig - StartUpReg: qttask - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RemoteControl10 - hkey= - key= - E:\Nice Programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: UnHackMe Monitor - hkey= - key= - F:\Nice Programs\UnHackMe\hackmon.exe (Greatis Software)
MsConfig - StartUpReg: UpdatePDRShortCut - hkey= - key= - E:\Nice Programs\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: winampa - hkey= - key= - E:\Nice Programs\Winamp\winampa.exe (Nullsoft, Inc.)
MsConfig - StartUpReg: WinampAgent - hkey= - key= - E:\Nice Programs\Winamp\winampa.exe (Nullsoft, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - יצירת דפים מתקדמת
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - מחלקות Java של DirectAnimation
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - תיקיות Web
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - מתזמן המשימות
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Packed With Joy !)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.divx - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()
Drivers32: vidc.vp60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/25 12:47:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/22 21:34:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/22 21:34:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/22 21:34:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/22 21:34:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/22 20:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\pdfMachine
[2012/03/22 20:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\pdfMachine
[2012/03/22 20:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\BCL Technologies
[2012/03/22 16:55:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/15 15:39:44 | 000,335,504 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/15 15:14:48 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/03 21:31:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 21:31:45 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 21:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 21:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2012/03/26 21:35:37 | 000,003,954 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2012/03/26 21:20:50 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/26 21:20:23 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/03/26 21:20:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/26 16:57:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
[2012/03/25 13:57:00 | 000,000,952 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
[2012/03/22 20:07:44 | 001,468,466 | ---- | M] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/22 17:12:23 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2012/03/22 17:12:22 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/22 17:12:22 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2012/03/22 16:31:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/03/22 16:13:28 | 000,000,134 | ---- | M] () -- C:\WINDOWS\rootkitno.ini
[2012/03/19 22:11:41 | 000,211,968 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/17 23:11:28 | 000,335,504 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/14 13:29:37 | 000,381,632 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 13:04:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/06 15:11:59 | 000,000,284 | ---- | M] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/05 22:45:52 | 049,454,830 | ---- | M] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 22:22:07 | 000,127,359 | ---- | M] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/03/05 20:27:12 | 000,060,945 | ---- | M] () -- C:\Documents and Settings\user\My Documents\PDR.dmp
[2012/03/05 15:49:56 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/03 21:31:28 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 21:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 21:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/03/03 21:31:28 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 21:31:27 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/28 22:31:05 | 000,046,781 | ---- | M] () -- C:\Documents and Settings\user\My Documents\קשב.pds

========== Files Created - No Company Name ==========

[2012/03/24 17:53:00 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/22 21:34:28 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/22 21:34:28 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/22 21:34:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/22 21:34:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/22 21:34:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/22 20:07:43 | 001,468,466 | ---- | C] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/05 22:22:42 | 049,454,830 | ---- | C] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 19:35:59 | 000,127,359 | ---- | C] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/02/28 22:26:28 | 000,046,781 | ---- | C] () -- C:\Documents and Settings\user\My Documents\קשב.pds
[2012/02/15 10:19:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/01 22:55:34 | 000,421,730 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\census.cache
[2011/09/01 22:55:30 | 000,234,796 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\ars.cache
[2011/09/01 19:41:01 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2011/08/09 16:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/07/19 16:04:50 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/19 16:04:47 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/19 16:04:47 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/02/15 01:04:50 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/12/23 07:56:49 | 000,007,282 | ---- | C] () -- C:\WINDOWS\cadx2.ini
[2010/11/14 21:55:49 | 000,494,128 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/29 20:07:21 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ideq32.ini
[2010/09/29 20:39:32 | 000,000,565 | ---- | C] () -- C:\Documents and Settings\user\Application Data\myMPQ.ini
[2010/09/22 14:37:36 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2010/09/22 14:35:43 | 000,339,456 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2010/07/27 12:26:56 | 000,078,796 | ---- | C] () -- C:\WINDOWS\hpfins05.dat
[2010/07/27 12:26:56 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat
[2010/07/27 12:26:41 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2010/07/27 12:26:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/07/24 14:00:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoNow.INI
[2010/07/15 16:11:48 | 001,185,871 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/07/15 16:11:48 | 000,045,669 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/05/31 00:28:36 | 000,211,968 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/26 00:03:51 | 000,000,134 | ---- | C] () -- C:\WINDOWS\rootkitno.ini
[2010/05/20 16:20:12 | 000,000,014 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2010/05/12 11:44:12 | 000,086,528 | ---- | C] () -- C:\WINDOWS\bnetunin.exe
[2010/05/12 11:21:01 | 000,000,401 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/04/29 14:10:08 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\psfind.dll
[2010/04/23 09:11:45 | 000,000,083 | ---- | C] () -- C:\WINDOWS\wwpEnglish.INI
[2010/04/14 19:34:18 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2010/04/14 19:34:17 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2010/03/30 11:39:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/03/11 20:43:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2010/03/11 20:43:06 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2010/03/11 20:43:06 | 000,446,464 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2012/01/09 18:20:19 | 000,139,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rdpwd.sys

< %SYSTEMDRIVE%\*.exe >
[2010/03/11 19:50:06 | 117,905,536 | ---- | M] (NVIDIA Corporation) -- C:\196.21_desktop_winxp_32bit_international_whql.exe

< MD5 for: AFD.SYS >
[2011/08/17 15:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\dllcache\afd.sys
[2011/08/17 15:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\drivers\afd.sys
[2008/04/13 21:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2008/04/13 21:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2011/02/16 15:22:48 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=355556D9E580915118CD7EF736653A89 -- C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2008/10/16 17:07:58 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=38D7B715504DA4741DF35E3594FE2099 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008/08/14 12:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2008/08/14 11:51:43 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=55E6E1C51B6D30E54335750955453702 -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2006/03/02 14:00:00 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys
[2008/08/14 11:48:52 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=6A0397376853E604DE8E1E7A87FC08AC -- C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys
[2008/10/16 16:43:01 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7618D5218F2A614672EC61A80D854A37 -- C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2008/08/14 12:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys
[2008/08/14 12:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011/02/16 15:25:05 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=8D499B1276012EB907E7A9E0F4D8FDA4 -- C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2008/06/20 12:44:38 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=944CA435BFCFC82CC1ED9E3A7D731AA9 -- C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys
[2008/06/20 13:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008/06/20 12:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008/06/20 13:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2008/06/20 13:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2011/08/17 15:41:46 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=F6B7B1ECD7B41736BDB6FF4B092BCB79 -- C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys

< MD5 for: ATAPI.SYS >
[2006/03/02 14:00:00 | 018,773,911 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/03/18 23:59:40 | 023,886,227 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/03/18 23:59:40 | 023,886,227 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/03/02 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/14 04:17:43 | 001,202,176 | ---- | M] (Microsoft Corporation) MD5=468D2A8B5F62E25F81C3150263D8E558 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 04:17:43 | 001,202,176 | ---- | M] (Microsoft Corporation) MD5=468D2A8B5F62E25F81C3150263D8E558 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:17:43 | 001,202,176 | ---- | M] (Microsoft Corporation) MD5=468D2A8B5F62E25F81C3150263D8E558 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2006/03/02 14:00:00 | 001,200,640 | ---- | M] (Microsoft Corporation) MD5=A275BB2B4CF43625B9F38AD312F5C5A6 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: VOLSNAP.SYS >
[2006/03/02 14:00:00 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=75554B019CBBD7A973F670D7DC53BE8F -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys
[2008/04/14 03:52:09 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=77C942F961ECA976CA12B12E36F3505A -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/14 03:52:09 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=77C942F961ECA976CA12B12E36F3505A -- C:\WINDOWS\system32\drivers\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2008/04/14 04:18:01 | 000,504,320 | ---- | M] (Microsoft Corporation) MD5=9DC7D2C3A0956A9FF82C4DD5596613A8 -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 04:18:01 | 000,504,320 | ---- | M] (Microsoft Corporation) MD5=9DC7D2C3A0956A9FF82C4DD5596613A8 -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 04:18:01 | 000,504,320 | ---- | M] (Microsoft Corporation) MD5=9DC7D2C3A0956A9FF82C4DD5596613A8 -- C:\WINDOWS\system32\winlogon.exe
[2011/12/24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2006/03/02 14:00:00 | 000,498,688 | ---- | M] (Microsoft Corporation) MD5=E589065C107815A4F5DB393973A2B9B0 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/07/08 09:41:11 | 000,731,440 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/07/08 09:41:07 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2011/07/09 06:51:19 | 001,012,792 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 14:23:19 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35] -> C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 -> Junction

< End of report >


OTL Extras logfile created on: 26/03/2012 21:39:57 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

1.98 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.43% Memory free
3.83 Gb Paging File | 3.43 Gb Available in Paging File | 89.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 10.79 Gb Free Space | 2.32% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 1.99 Gb Free Space | 0.29% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 2.48 Gb Free Space | 0.83% Space Free | Partition Type: NTFS

Computer Name: USER-907F5FD299 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Games\Heroes III\Heroes3.exe" = E:\Games\Heroes III\Heroes3.exe:*:Enabled:Heroes of Might and Magic® III -- (The 3DO Company)
"E:\eMule\emule.exe" = E:\eMule\emule.exe:*:Enabled:eMule -- (http://www.emule-project.net)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"E:\Games\Avatar\bin\Avatar.exe" = E:\Games\Avatar\bin\Avatar.exe:*:Enabled:James Cameron's AVATAR™: THE GAME -- (Ubisoft Entertainment)
"E:\Games\Avatar\bin\AvatarLauncher.exe" = E:\Games\Avatar\bin\AvatarLauncher.exe:*:Enabled:Updater -- (Ubisoft)
"E:\Games\ANNO 1404\Anno4.exe" = E:\Games\ANNO 1404\Anno4.exe:*:Enabled:ANNO 1404 -- ()
"E:\Games\ANNO 1404\tools\Anno4Web.exe" = E:\Games\ANNO 1404\tools\Anno4Web.exe:*:Enabled:ANNO 1404 Web -- ()
"E:\Games\C&C 4\Data\CNC4.game" = E:\Games\C&C 4\Data\CNC4.game:*:Enabled:Command & Conquer™ 4 -- (Electronic Arts Inc.)
"E:\Games\Street Fighter 4\StreetFighterIV.exe" = E:\Games\Street Fighter 4\StreetFighterIV.exe:*:Enabled:STREET FIGHTER IV -- (CAPCOM U.S.A., INC.)
"E:\Games\Dragon Age\bin_ship\daorigins.exe" = E:\Games\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Origins Game -- (BioWare)
"E:\Games\Dragon Age\DAOriginsLauncher.exe" = E:\Games\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Launcher -- (BioWare)
"E:\Games\The Hell\TH.exe" = E:\Games\The Hell\TH.exe:*:Enabled:The Hell -- (Modded by MORDOR )
"E:\Games\Universe At War Earth Assault\UAWEA.exe" = E:\Games\Universe At War Earth Assault\UAWEA.exe:*:Enabled:Universe at War Earth Assault -- (Petroglyph Games, Inc.)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
"C:\WINDOWS\system32\rtcshare.exe" = C:\WINDOWS\system32\rtcshare.exe:*:Enabled:‎‎שיתוף RTC App -- (Microsoft Corporation)
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"E:\Games\StarCraft II\StarCraft II.exe" = E:\Games\StarCraft II\StarCraft II.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"E:\Games\StarCraft II\Versions\Base15405\SC2.exe" = E:\Games\StarCraft II\Versions\Base15405\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Support\BlizzardDownloader.exe" = E:\Games\StarCraft II\Support\BlizzardDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"E:\Games\StarCraft II\Versions\Base16561\SC2.exe" = E:\Games\StarCraft II\Versions\Base16561\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Versions\Base16605\SC2.exe" = E:\Games\StarCraft II\Versions\Base16605\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Nice Programs\uTorrent\uTorrent.exe" = E:\Nice Programs\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"E:\Games\StarCraft II\Versions\Base16755\SC2.exe" = E:\Games\StarCraft II\Versions\Base16755\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\USBSetup.exe" = C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\USBSetup.exe:LocalSubNet:Enabled:הגדרת ההתקן של HP -- (Hewlett-Packard Co.)
"E:\Games\StarCraft II\Versions\Base16939\SC2.exe" = E:\Games\StarCraft II\Versions\Base16939\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Versions\Base17326\SC2.exe" = E:\Games\StarCraft II\Versions\Base17326\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Versions\Base18092\SC2.exe" = E:\Games\StarCraft II\Versions\Base18092\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Versions\Base18574\SC2.exe" = E:\Games\StarCraft II\Versions\Base18574\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\StarCraft II\Versions\Base19132\SC2.exe" = E:\Games\StarCraft II\Versions\Base19132\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"E:\Games\SecondLifeViewer2\SLVoice.exe" = E:\Games\SecondLifeViewer2\SLVoice.exe:*:Enabled:SLVoice -- (Vivox Inc.)
"E:\Nice Programs\Firestorm-Beta-Mesh\SLVoice.exe" = E:\Nice Programs\Firestorm-Beta-Mesh\SLVoice.exe:*:Enabled:SLVoice -- ()
"E:\Games\StarCraft II\Versions\Base19679\SC2.exe" = E:\Games\StarCraft II\Versions\Base19679\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"E:\Games\StarCraft II\Versions\Base21029\SC2.exe" = E:\Games\StarCraft II\Versions\Base21029\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{09CF6AF5-9206-4FD7-9B08-BA6819FB47E3}" = Anno 1404
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
"{11E94FDB-C895-45F1-B756-1C9B8C36C8F1}" = Microsoft IntelliType Pro 7.1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = כלי ההעלאה של Windows Live
"{20FF702A-B145-4C6E-80DD-9F0527090848}" = Windows Live Call
"{224F8F8A-300C-41F5-94F2-E38A7AE4D319}" = תוכנה בסיסית של ההתקן HP Deskjet 1000 J110 series
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{2EEBAC31-3EEF-4118-91CB-1A286A507DB2}" = ESET NOD32 Antivirus
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{3377D2DE-B0F7-413E-97FE-E3E692DD7CDC}" = TQ Defiler.NET
"{350C97B4-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D9CF3CA-3AB0-4A82-9853-D7C43FD1D775}" = ANNO 1404
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{4E20913E-72EF-4B99-BB60-73466D2280A1}" = לומדה של המדינה
"{4FE672A5-355A-4AB2-977F-EA2CCEF11EC5}" = 3DVIA Player
"{5285EAAC-F960-4C14-AD80-9D31CB00E8E4}" = Windows Live Essentials
"{59ABBDF0-E1E5-48AF-85FB-F523A08C3490}" = STREET FIGHTER IV
"{5E19D0AA-D95B-456C-ADE9-B046D86EAA24}" = TQVault
"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{7057ABC2-EFF3-4E43-9806-8BCB6EEA9FE6}" = Microsoft IntelliPoint 7.1
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7E0E01E6-8F0B-428B-9A06-668104DA6872}" = Business Plan Pro 11.0
"{7E19B002-4CA3-4C9F-BA92-91D101B97219}" = James Cameron's AVATAR™: THE GAME
"{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"{82696435-8572-4D8B-A230-D1AA567D0F0F}" = Command & Conquer™ 4 Tiberian Twilight
"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
"{879C4951-5561-324B-B0F5-AA0864C4499E}" = Microsoft .NET Framework 4 Extended HEB Language Pack
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}" = Media Player Utilities 4.36
"{8FC35EC2-F690-3417-8175-ED16EC771126}" = Microsoft .NET Framework 4 Client Profile HEB Language Pack
"{9011040D-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-040D-0000-0000000FF1CE}" = חבילת תאימות עבור מהדורת 2007 של מערכת Office
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}" = Driver Whiz
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{AEC81925-9C76-4707-84A9-40696C613ED3}" = Dragon Age: Origins
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Display Control Panel
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA תכנת nView 135.36
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA מנהל ההתקן עבור שמע בתקן HD 1.1.12.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B6F0BE9B-41D7-45A2-9A76-D3DB1A89EC6A}" = SnagIt 8
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{BCBA462D-3E1B-416C-89F8-492020D4BBF4}" = מסייע הכניסה של Windows Live
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFCD2A80-EC16-11E0-A273-B8AC6F97B88E}" = Google Earth
"{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{D4658131-9D1A-4395-876D-968E38FE8ED5}" = Universe at War Earth Assault
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{DC7AE432-E94C-4C8E-89A7-1958C0F6563A}" = Safari Photo Africa - Wild Earth Demo
"{DDDFCC77-7F9C-45E9-B38E-721BA599BA0C}" = HP Deskjet 1000 J110 series עזרה
"{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = CyberLink PowerDVD 10
"{E3723A04-A894-4036-A78E-282E18F43C0A}_is1" = Tinypic 3.14
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F659CCC7-63C8-49CC-8A76-34131CE5D3A8}" = Tube Toolbox
"{F74A71D5-9376-4F56-953C-024048768CD8}" = Windows Live Messenger
"{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"2E7D0B991BC131BACB1B89C0BB2353F0FBA85C03" = חבילת התקני Windows. - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"3DVIAStudioPlayer 2.13.194" = 3DVIA player 2.13.194
"AceReader Pro (Server)" = AceReader Pro (Server)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Aiseesoft iPad Transfer_is1" = Aiseesoft iPad Transfer
"Any DVD Converter Professional_is1" = Any DVD Converter Professional 4.0.7
"Any Video Converter Professional_is1" = Any Video Converter Professional 2.6.2
"AutoHotkey" = AutoHotkey 1.0.48.05
"Battle.net" = Battle.net
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"conduitEngine" = Conduit Engine
"EA Download Manager" = EA Download Manager
"Easy Hi-Q Recorder_is1" = Easy Hi-Q Recorder 2.4
"eMule" = eMule
"Enigma" = Enigma
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 3154] [2009-12-09]
"Firestorm-Beta-Mesh" = Firestorm-Beta-Mesh (remove only)
"HECI" = Intel® Management Engine Interface
"Hellfire" = Hellfire
"HitmanPro35" = Hitman Pro 3.5
"HP Photo Creations" = HP Photo Creations
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"InstallShield_{D4658131-9D1A-4395-876D-968E38FE8ED5}" = Universe at War Earth Assault
"InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = CyberLink PowerDVD 10
"Live 8.0.1" = Live 8.0.1
"Magi - Demo_is1" = Magi - Demo v1.3.2
"Magic ISO Maker v5.5 (build 0261)" = Magic ISO Maker v5.5 (build 0261)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware גירסה 1.60.0.1800
"Media Player - Codec Pack" = Media Player Codec Pack 3.9.5
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile HEB Language Pack" = Microsoft .NET Framework 4 Client Profile HEB Language Pack
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended HEB Language Pack" = Microsoft .NET Framework 4 Extended HEB Language Pack
"Misim" = Misim
"Movie Rotator_is1" = Movie Rotator 1.2
"Mozilla Firefox 5.0.1 (x86 he)" = Mozilla Firefox 5.0.1 (x86 he)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MS-MPEG4" = Microsoft MPEG-4 VKI Video Codec V1/V2/V3
"MySSID_is1" = EXPERTool 7.16
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Primal Pictures Interactive Foot and Ankle 2" = Primal Pictures Interactive Foot and Ankle 2
"Primal Pictures Interactive Hand 2000" = Primal Pictures Interactive Hand 2000
"Primal Pictures Interactive Head and Neck" = Primal Pictures Interactive Head and Neck
"Primal Pictures Interactive Hip" = Primal Pictures Interactive Hip
"Primal Pictures Interactive Knee 1.1" = Primal Pictures Interactive Knee 1.1
"Primal Pictures Interactive Pelvis and Perineum" = Primal Pictures Interactive Pelvis and Perineum
"Primal Pictures Interactive Shoulder" = Primal Pictures Interactive Shoulder
"Primal Pictures Interactive Spine" = Primal Pictures Interactive Spine
"Primal Pictures Interactive Thorax and Abdomen" = Primal Pictures Interactive Thorax and Abdomen
"Runic Games TorchED" = TorchED
"Runic Games Torchlight" = Torchlight
"SecondLifeViewer2" = SecondLifeViewer2 (remove only)
"Sierra Utilities" = Sierra Utilities
"StarCraft II" = StarCraft II
"TheHell" = The Hell
"TMACv5.0R3" = Technitium MAC Address Changer v5.0 Release 3
"Totalcmd" = Total Commander (Remove or Repair)
"Tropico3" = Tropico 3 1.00
"TuneUp Utilities" = TuneUp Utilities
"UnHackMe_is1" = UnHackMe 5.95 release
"uTorrent" = µTorrent
"VGA USB Camera" = VGA USB Camera
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"Windows Lemmings" = Lemmings for Windows 95
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Words Kingdom_is1" = Words Kingdom 1.03
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xvid" = XviD MPEG-4 Video Codec
"Xvid_is1" = Xvid 1.2.2 final uninstall
"Youtube Downloader HD_is1" = Youtube Downloader HD v. 2.9.2
"YU2010_is1" = Your Uninstaller! 2010

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Puzzle Pirates" = Puzzle Pirates

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/11/2011 14:25:19 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 17/11/2011 14:25:59 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 20/11/2011 17:21:54 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 24/11/2011 19:04:01 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום wmplayer.exe, גירסה 11.0.5721.5145, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x00000000‏.

Error - 25/11/2011 07:40:42 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב TOTALCMD.EXE, גירסה 7.0.4.1, מודול חוסר תגובה hungapp,
גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 25/11/2011 07:40:42 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב TOTALCMD.EXE, גירסה 7.0.4.1, מודול חוסר תגובה hungapp,
גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 25/11/2011 07:40:47 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 30/11/2011 00:20:09 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 02/12/2011 19:37:50 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 06/12/2011 14:02:30 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום chrome.exe, גירסה 0.0.0.0, תקלה במודול ntdll.dll, גירסה
5.1.2600.6055, כתובת התקלה 0x0001168b‏.

[ Application Events ]
Error - 17/11/2011 14:25:19 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 17/11/2011 14:25:59 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 20/11/2011 17:21:54 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 24/11/2011 19:04:01 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום wmplayer.exe, גירסה 11.0.5721.5145, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x00000000‏.

Error - 25/11/2011 07:40:42 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב TOTALCMD.EXE, גירסה 7.0.4.1, מודול חוסר תגובה hungapp,
גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 25/11/2011 07:40:42 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב TOTALCMD.EXE, גירסה 7.0.4.1, מודול חוסר תגובה hungapp,
גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 25/11/2011 07:40:47 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 30/11/2011 00:20:09 | Computer Name = USER-907F5FD299 | Source = Application Hang | ID = 1002
Description = ‏‏יישום לא מגיב iexplore.exe, גירסה 8.0.6001.18702, מודול חוסר תגובה
hungapp, גירסה 0.0.0.0, כתובת חוסר תגובה 0x00000000‏.

Error - 02/12/2011 19:37:50 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום explorer.exe, גירסה 6.0.2900.5512, תקלה במודול unknown,
גירסה 0.0.0.0, כתובת התקלה 0x715f9e59‏.

Error - 06/12/2011 14:02:30 | Computer Name = USER-907F5FD299 | Source = Application Error | ID = 1000
Description = ‏‏תקלה ביישום chrome.exe, גירסה 0.0.0.0, תקלה במודול ntdll.dll, גירסה
5.1.2600.6055, כתובת התקלה 0x0001168b‏.

[ System Events ]
Error - 22/03/2012 16:03:03 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 16:03:10 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 16:03:17 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 16:03:31 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 16:03:51 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 16:04:11 | Computer Name = USER-907F5FD299 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service TuneUp.UtilitiesSvc
with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}

Error - 22/03/2012 22:01:10 | Computer Name = USER-907F5FD299 | Source = atapi | ID = 262153
Description = ‏‏התקן \Device\Ide\IdePort2 לא הגיב במהלך פרק הזמן שהוקצב.

Error - 22/03/2012 22:02:42 | Computer Name = USER-907F5FD299 | Source = atapi | ID = 262153
Description = ‏‏התקן \Device\Ide\IdePort2 לא הגיב במהלך פרק הזמן שהוקצב.

Error - 22/03/2012 23:38:00 | Computer Name = USER-907F5FD299 | Source = atapi | ID = 262153
Description = ‏‏התקן \Device\Ide\IdePort2 לא הגיב במהלך פרק הזמן שהוקצב.

Error - 22/03/2012 23:38:08 | Computer Name = USER-907F5FD299 | Source = atapi | ID = 262153
Description = ‏‏התקן \Device\Ide\IdePort2 לא הגיב במהלך פרק הזמן שהוקצב.


< End of report >


5. My computer takes longer to upload than before and every period of time my computer screen blinks with black screens for a short time (bit less than a second or so). The rootkit is still there in my computer, and I yet to know how to get rid of it. And thanks for reading. I had no special problems to make the scans.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 27 March 2012 - 12:19 AM

Hi BugSniper!

I'm using Windows XP.

I forgot to remove that portion of text regarding the Vista/7 information.

TDSS Killer has found two objects. I think that the first, a347bus, is a clone drive called Alcohol which I already tried to remove from my computer. And I think that the second, partizan, belongs to the software "Unhack me" which helps me remove other simpler malicious stuff. I have no special questions, I just want it to be totally malware free.

Yes, you are correct, a347bus is in fact related to the Alcohol 120% utility, and the second is related to the UnHack me utility.

Thanks for providing me with the update on how things are running with your computer. :)

OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/home?AF=88888&tt=aabctest8057a"
    FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q="
    FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
    FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
    FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
    [2012/01/26 12:38:55 | 000,000,000 | ---D | M] (Babylon) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com
    [2011/08/09 16:24:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    [2011/10/04 21:54:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    [2012/03/03 21:31:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    [2012/01/26 12:38:48 | 000,002,353 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {56CF4856-ECB4-4E46-A897-A378821F97B9} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {56CF4856-ECB4-4E46-A897-A378821F97B9} - No CLSID value found.
    O3 - HKU\S-1-5-21-790525478-1177238915-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    
    :Reg
    
    :Files
    type "C:\WINDOWS\winstart.bat" /c
    type "C:\ComboFix.txt" /c
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL Fix log.
3. aswMBR log.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Edited by SweetTech, 27 March 2012 - 12:20 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 27 March 2012 - 01:33 PM

1. Thank you ST for your fast reply, I reboot like OTL asked me to, and I agreed when the avast anti virus told me to download updates. And if you want me to use anything in safe mode, let me know. And I think the problem started after one of my friends downloaded and used Babylon in my computer, not sure.

2. All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Prefs.js: "http://search.babylon.com/home?AF=88888&tt=aabctest8057a" removed from browser.startup.homepage
Prefs.js: "http://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q=" removed from keyword.URL
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\content folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com\components folder moved successfully.
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\extensions\ffxtlbr@babylon.com folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{56CF4856-ECB4-4E46-A897-A378821F97B9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56CF4856-ECB4-4E46-A897-A378821F97B9}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{56CF4856-ECB4-4E46-A897-A378821F97B9} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56CF4856-ECB4-4E46-A897-A378821F97B9}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== REGISTRY ==========
========== FILES ==========
< type "C:\WINDOWS\winstart.bat" /c >
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< type "C:\ComboFix.txt" /c >
ComboFix 12-03-22.01 - user 03/25/2012 12:03:15.41.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.2030.1633 [GMT 2:00]
Running from: F:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\pdfMachine
2012-03-22 18:33 . 2012-03-22 18:35 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\pdfMachine
2012-03-22 18:26 . 2012-03-22 18:26 -------- d-----w- c:\program files\BCL Technologies
2012-03-03 19:31 . 2012-03-03 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 15:12 . 2010-03-19 10:03 2 --shatr- c:\windows\winstart.bat
2012-03-17 21:11 . 2012-03-15 13:39 335504 ----a-w- c:\windows\system32\drivers\TRUFOSALT.SYS.del
2012-03-03 19:31 . 2010-06-03 23:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 10:02 . 2011-05-15 11:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2006-03-02 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 08:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-11 16:54 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-07-08 07:41 . 2011-08-09 14:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-02_22.10.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-25 10:01 . 2012-03-25 10:01 16384 c:\windows\temp\Perflib_Perfdata_610.dat
+ 2012-03-25 10:20 . 2012-03-25 10:20 53248 c:\windows\temp\catchme.dll
+ 2012-03-22 18:33 . 2009-03-20 07:04 17408 c:\windows\system32\spool\drivers\w32x86\3\psapi.dll
+ 2010-03-11 17:32 . 2012-03-14 11:02 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 157472 c:\windows\system32\javaws.exe
- 2011-10-27 12:50 . 2011-10-03 03:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\javaw.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\java.exe
- 2010-03-11 18:44 . 2012-02-15 11:11 381632 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-11 18:44 . 2012-03-14 11:29 381632 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-11 12:16 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2012-03-03 19:32 . 2012-03-03 19:32 203776 c:\windows\Installer\45304b8.msi
+ 2012-03-03 19:31 . 2012-03-03 19:31 901120 c:\windows\Installer\45304a4.msi
+ 2010-03-11 17:32 . 2012-03-14 11:02 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2012-03-22 18:33 . 2009-08-13 21:55 1748992 c:\windows\system32\spool\drivers\w32x86\3\gdiplus.dll
+ 2009-08-14 15:14 . 2012-02-03 09:57 1859968 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-05 19:34 . 2012-03-05 19:34 5519872 c:\windows\Installer\426dd1.msp
+ 2010-03-18 21:51 . 2012-03-14 11:04 54215544 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESET GUI"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-17 16132608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
path=
backup=
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep 0 -k]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brs]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESET GUI]
2009-05-14 13:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-28 12:08 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hackmon]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-08-31 21:07 6394688 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 02:17 168448 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:11 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD10Serv]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-12-03 19:15 218408 ----a-w- e:\nice programs\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampa]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"RichVideo"=2 (0x2)
"iPod Service"=3 (0x3)
"TuneUp.UtilitiesSvc"=2 (0x2)
"MSCamSvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GAINWARD"=c:\program files\EXPERTool\TBPanel.exe /A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Games\\Heroes III\\Heroes3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Games\\Avatar\\bin\\Avatar.exe"=
"e:\\Games\\Avatar\\bin\\AvatarLauncher.exe"=
"e:\\Games\\ANNO 1404\\Anno4.exe"=
"e:\\Games\\ANNO 1404\\tools\\Anno4Web.exe"=
"e:\\Games\\C&C 4\\Data\\CNC4.game"=
"e:\\Games\\Street Fighter 4\\StreetFighterIV.exe"=
"e:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"e:\\Games\\The Hell\\TH.exe"=
"e:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Games\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"e:\\Nice Programs\\uTorrent\\uTorrent.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"e:\\Games\\SecondLifeViewer2\\SLVoice.exe"=
"e:\\Nice Programs\\Firestorm-Beta-Mesh\\SLVoice.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"e:\\Games\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [19/07/2011 16:14 100456]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/22 18:57];e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl [13/03/2010 11:58 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [30/06/2010 21:07 30576]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [29/03/2010 14:33 30946]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [07/07/2010 16:11 24416]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [24/02/2010 13:41 10064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S3 zlportio;zlportio;\??\e:\games\Ultrastar Deluxe\zlportio.sys --> e:\games\Ultrastar Deluxe\zlportio.sys [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [22/09/2010 14:37 160640]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [06/07/2010 13:55 1051968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
TCP: DhcpNameServer = 10.0.0.138
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} - hxxp://player.studio.3dvia.com/3DVIAPlayer-Installer.exe
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=88888&tt=aabctest8057a
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.id - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.hardId - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15365
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - orgnl
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=250112_ncl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - def
FF - user.js: extensions.BabylonToolbar_i.instlRef - na
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 12:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\

M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\

M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Settings]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-03-25 12:22:50
ComboFix-quarantined-files.txt 2012-03-25 10:22
ComboFix2.txt 2012-03-24 18:39
ComboFix3.txt 2012-03-24 00:28
ComboFix4.txt 2012-03-22 20:02
ComboFix5.txt 2012-03-25 09:54
.
Pre-Run: 11,634,225,152 bytes free
Post-Run: 11,683,131,392 bytes free
.
- - End Of File - - 10426DBA2EC1ED6F158945B2A87E1EDA
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: Administrator.USER-907F5FD299
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 51644480 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 242839439 bytes
->Flash cache emptied: 75779466 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5954340 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 359.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.USER-907F5FD299
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: Administrator.USER-907F5FD299

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 03272012_180908

Files\Folders moved on Reboot...
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GXV02VRB\page__gopid__2643725[1].htm moved successfully.
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\~DF42CC.tmp not found!
File\Folder C:\WINDOWS\temp\~DF43C2.tmp not found!
File\Folder C:\WINDOWS\temp\~DF4451.tmp not found!
File\Folder C:\WINDOWS\temp\~DF4491.tmp not found!

Registry entries deleted on Reboot...


3.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-27 18:17:27
-----------------------------
18:17:27.562 OS Version: Windows 5.1.2600 Service Pack 3
18:17:27.562 Number of processors: 2 586 0xF0B
18:17:27.562 ComputerName: USER-907F5FD299 UserName: user
18:17:42.046 Initialize success
18:22:40.625 AVAST engine defs: 12032701
18:23:19.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
18:23:19.046 Disk 0 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 3
18:23:19.046 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-1b
18:23:19.046 Disk 1 Vendor: WDC_WD7500AAKS-00RBA0 30.04G30 Size: 715404MB BusType: 3
18:23:19.046 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T0L0-26
18:23:19.062 Disk 2 Vendor: Hitachi_HDT725032VLA360 V54OA7EA Size: 305245MB BusType: 3
18:23:19.078 Disk 0 MBR read successfully
18:23:19.078 Disk 0 MBR scan
18:23:19.125 Disk 0 Windows XP default MBR code
18:23:19.125 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
18:23:19.140 Disk 0 scanning sectors +976752000
18:23:19.234 Disk 0 scanning C:\WINDOWS\system32\drivers
18:23:46.031 Service scanning
18:24:21.546 Modules scanning
18:24:37.296 Disk 0 trace - called modules:
18:24:37.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
18:24:37.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a77fab8]
18:24:37.343 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a7289e8]
18:24:37.343 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x8a79bb00]
18:24:41.406 AVAST engine scan C:\WINDOWS
18:25:11.140 AVAST engine scan C:\WINDOWS\system32
18:33:53.812 AVAST engine scan C:\WINDOWS\system32\drivers
18:34:28.375 AVAST engine scan C:\Documents and Settings\user
19:53:01.109 AVAST engine scan C:\Documents and Settings\All Users
20:19:00.671 Scan finished successfully
20:32:23.828 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
20:32:23.890 The log file has been saved successfully to "E:\aswMBR.txt"


4. My computer still takes long to load, is working a bit slow, and surfing the internet is still much slower than before, but I am optimistic, I'll go this through with you.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 28 March 2012 - 12:28 AM

Hi BugSniper!

1. Thank you ST for your fast reply, I reboot like OTL asked me to, and I agreed when the avast anti virus told me to download updates. And if you want me to use anything in safe mode, let me know. And I think the problem started after one of my friends downloaded and used Babylon in my computer, not sure.

Not a problem!

The installation of Babylon could very well be a contributing factor to the start of these issues.

4. My computer still takes long to load, is working a bit slow, and surfing the internet is still much slower than before, but I am optimistic, I'll go this through with you.

Okay, well hopefully we'll be able to get a handle on that issue shortly.

I see that ComboFix was run multiple times on this computer. Before we proceed, I'd really like to get a look at the log files that those scans produced.

Please do the following for locating those files:

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Click on Qoobox in the left-hand window pane
  • Look for ComboFix2.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.

Please repeat the above process for locating these files as well: ComboFix3.txt, ComboFix4.txt, & ComboFix5.txt

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 28 March 2012 - 01:10 PM

Hello again ST! When i've ran combofix before, it told me to run it again if it doesn't solve the problem, and I tried to run it for few times. I didn't try to use combofix on safe mode because I don't know how to turn off my ESET antivirus in safe mode, I'm sending ComboFix5.txt as an attachment because I tried to post it twice in this reply window and it made my windows explorer window to get stuck (Since I was infected with the rootkit I surf fairly slow). (Combofix5.txt is over 1.4megabytes, compared to all others which are much smaller).


ComboFix2.txt:

ComboFix 12-03-22.01 - user 03/24/2012 20:19:22.40.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.2030.1632 [GMT 2:00]
Running from: F:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\pdfMachine
2012-03-22 18:33 . 2012-03-22 18:35 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\pdfMachine
2012-03-22 18:26 . 2012-03-22 18:26 -------- d-----w- c:\program files\BCL Technologies
2012-03-03 19:31 . 2012-03-03 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 15:12 . 2010-03-19 10:03 2 --shatr- c:\windows\winstart.bat
2012-03-17 21:11 . 2012-03-15 13:39 335504 ----a-w- c:\windows\system32\drivers\TRUFOSALT.SYS.del
2012-03-03 19:31 . 2010-06-03 23:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 10:02 . 2011-05-15 11:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2006-03-02 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 08:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-11 16:54 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-07-08 07:41 . 2011-08-09 14:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-02_22.10.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-24 18:17 . 2012-03-24 18:17 16384 c:\windows\temp\Perflib_Perfdata_618.dat
+ 2012-03-24 18:37 . 2012-03-24 18:37 53248 c:\windows\temp\catchme.dll
+ 2012-03-22 18:33 . 2009-03-20 07:04 17408 c:\windows\system32\spool\drivers\w32x86\3\psapi.dll
+ 2010-03-11 17:32 . 2012-03-14 11:02 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 157472 c:\windows\system32\javaws.exe
- 2011-10-27 12:50 . 2011-10-03 03:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\javaw.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\java.exe
- 2010-03-11 18:44 . 2012-02-15 11:11 381632 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-11 18:44 . 2012-03-14 11:29 381632 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-11 12:16 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2012-03-03 19:32 . 2012-03-03 19:32 203776 c:\windows\Installer\45304b8.msi
+ 2012-03-03 19:31 . 2012-03-03 19:31 901120 c:\windows\Installer\45304a4.msi
+ 2010-03-11 17:32 . 2012-03-14 11:02 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2012-03-22 18:33 . 2009-08-13 21:55 1748992 c:\windows\system32\spool\drivers\w32x86\3\gdiplus.dll
+ 2009-08-14 15:14 . 2012-02-03 09:57 1859968 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-05 19:34 . 2012-03-05 19:34 5519872 c:\windows\Installer\426dd1.msp
+ 2010-03-18 21:51 . 2012-03-14 11:04 54215544 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESET GUI"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-17 16132608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
path=
backup=
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep 0 -k]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brs]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESET GUI]
2009-05-14 13:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-28 12:08 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hackmon]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-08-31 21:07 6394688 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 02:17 168448 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:11 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD10Serv]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-12-03 19:15 218408 ----a-w- e:\nice programs\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampa]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"RichVideo"=2 (0x2)
"iPod Service"=3 (0x3)
"TuneUp.UtilitiesSvc"=2 (0x2)
"MSCamSvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GAINWARD"=c:\program files\EXPERTool\TBPanel.exe /A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Games\\Heroes III\\Heroes3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Games\\Avatar\\bin\\Avatar.exe"=
"e:\\Games\\Avatar\\bin\\AvatarLauncher.exe"=
"e:\\Games\\ANNO 1404\\Anno4.exe"=
"e:\\Games\\ANNO 1404\\tools\\Anno4Web.exe"=
"e:\\Games\\C&C 4\\Data\\CNC4.game"=
"e:\\Games\\Street Fighter 4\\StreetFighterIV.exe"=
"e:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"e:\\Games\\The Hell\\TH.exe"=
"e:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Games\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"e:\\Nice Programs\\uTorrent\\uTorrent.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"e:\\Games\\SecondLifeViewer2\\SLVoice.exe"=
"e:\\Nice Programs\\Firestorm-Beta-Mesh\\SLVoice.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"e:\\Games\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [19/07/2011 16:14 100456]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [29/03/2010 14:33 30946]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/22 18:57];e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl [13/03/2010 11:58 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [30/06/2010 21:07 30576]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [07/07/2010 16:11 24416]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [24/02/2010 13:41 10064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S3 zlportio;zlportio;\??\e:\games\Ultrastar Deluxe\zlportio.sys --> e:\games\Ultrastar Deluxe\zlportio.sys [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [22/09/2010 14:37 160640]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [06/07/2010 13:55 1051968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
TCP: DhcpNameServer = 10.0.0.138
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} - hxxp://player.studio.3dvia.com/3DVIAPlayer-Installer.exe
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=88888&tt=aabctest8057a
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.id - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.hardId - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15365
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - orgnl
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=250112_ncl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - def
FF - user.js: extensions.BabylonToolbar_i.instlRef - na
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 20:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Settings]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-03-24 20:39:03
ComboFix-quarantined-files.txt 2012-03-24 18:39
ComboFix2.txt 2012-03-24 00:28
ComboFix3.txt 2012-03-22 20:02
ComboFix4.txt 2012-03-22 16:05
ComboFix5.txt 2012-03-24 18:10
.
Pre-Run: 11,627,626,496 bytes free
Post-Run: 11,692,904,448 bytes free
.
- - End Of File - - 41B7E28C2B64B8F89459C6E74978AE51


ComboFix3.txt:

ComboFix 12-03-22.01 - user 03/24/2012 2:09.39.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.2030.1616 [GMT 2:00]
Running from: F:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\pdfMachine
2012-03-22 18:33 . 2012-03-22 18:35 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\pdfMachine
2012-03-22 18:26 . 2012-03-22 18:26 -------- d-----w- c:\program files\BCL Technologies
2012-03-03 19:31 . 2012-03-03 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 15:12 . 2010-03-19 10:03 2 --shatr- c:\windows\winstart.bat
2012-03-17 21:11 . 2012-03-15 13:39 335504 ----a-w- c:\windows\system32\drivers\TRUFOSALT.SYS.del
2012-03-03 19:31 . 2010-06-03 23:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 10:02 . 2011-05-15 11:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2006-03-02 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 08:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-11 16:54 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-07-08 07:41 . 2011-08-09 14:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-02_22.10.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-24 00:07 . 2012-03-24 00:07 16384 c:\windows\temp\Perflib_Perfdata_5f0.dat
+ 2012-03-24 00:26 . 2012-03-24 00:26 53248 c:\windows\temp\catchme.dll
+ 2012-03-22 18:33 . 2009-03-20 07:04 17408 c:\windows\system32\spool\drivers\w32x86\3\psapi.dll
+ 2010-03-11 17:32 . 2012-03-14 11:02 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 157472 c:\windows\system32\javaws.exe
- 2011-10-27 12:50 . 2011-10-03 03:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\javaw.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\java.exe
- 2010-03-11 18:44 . 2012-02-15 11:11 381632 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-11 18:44 . 2012-03-14 11:29 381632 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-11 12:16 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2012-03-03 19:32 . 2012-03-03 19:32 203776 c:\windows\Installer\45304b8.msi
+ 2012-03-03 19:31 . 2012-03-03 19:31 901120 c:\windows\Installer\45304a4.msi
+ 2010-03-11 17:32 . 2012-03-14 11:02 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2012-03-22 18:33 . 2009-08-13 21:55 1748992 c:\windows\system32\spool\drivers\w32x86\3\gdiplus.dll
+ 2009-08-14 15:14 . 2012-02-03 09:57 1859968 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-05 19:34 . 2012-03-05 19:34 5519872 c:\windows\Installer\426dd1.msp
+ 2010-03-18 21:51 . 2012-03-14 11:04 54215544 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESET GUI"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-17 16132608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
path=
backup=
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep 0 -k]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brs]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESET GUI]
2009-05-14 13:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-28 12:08 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hackmon]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-08-31 21:07 6394688 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 02:17 168448 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:11 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD10Serv]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-12-03 19:15 218408 ----a-w- e:\nice programs\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampa]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"RichVideo"=2 (0x2)
"iPod Service"=3 (0x3)
"TuneUp.UtilitiesSvc"=2 (0x2)
"MSCamSvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GAINWARD"=c:\program files\EXPERTool\TBPanel.exe /A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Games\\Heroes III\\Heroes3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Games\\Avatar\\bin\\Avatar.exe"=
"e:\\Games\\Avatar\\bin\\AvatarLauncher.exe"=
"e:\\Games\\ANNO 1404\\Anno4.exe"=
"e:\\Games\\ANNO 1404\\tools\\Anno4Web.exe"=
"e:\\Games\\C&C 4\\Data\\CNC4.game"=
"e:\\Games\\Street Fighter 4\\StreetFighterIV.exe"=
"e:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"e:\\Games\\The Hell\\TH.exe"=
"e:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Games\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"e:\\Nice Programs\\uTorrent\\uTorrent.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"e:\\Games\\SecondLifeViewer2\\SLVoice.exe"=
"e:\\Nice Programs\\Firestorm-Beta-Mesh\\SLVoice.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"e:\\Games\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [19/07/2011 16:14 100456]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/22 18:57];e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl [13/03/2010 11:58 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [30/06/2010 21:07 30576]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [29/03/2010 14:33 30946]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [07/07/2010 16:11 24416]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [24/02/2010 13:41 10064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S3 zlportio;zlportio;\??\e:\games\Ultrastar Deluxe\zlportio.sys --> e:\games\Ultrastar Deluxe\zlportio.sys [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [22/09/2010 14:37 160640]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [06/07/2010 13:55 1051968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
TCP: DhcpNameServer = 10.0.0.138
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} - hxxp://player.studio.3dvia.com/3DVIAPlayer-Installer.exe
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=88888&tt=aabctest8057a
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.id - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.hardId - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15365
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - orgnl
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=250112_ncl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - def
FF - user.js: extensions.BabylonToolbar_i.instlRef - na
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 02:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Settings]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-03-24 02:28:43
ComboFix-quarantined-files.txt 2012-03-24 00:28
ComboFix2.txt 2012-03-22 20:02
ComboFix3.txt 2012-03-22 16:05
ComboFix4.txt 2012-03-22 14:55
ComboFix5.txt 2012-03-23 23:59
.
Pre-Run: 11,525,775,360 bytes free
Post-Run: 11,580,604,416 bytes free
.
- - End Of File - - 15375B80F8DAEBAD101CBF714B6A25A3


Combofix4.txt:

ComboFix 12-03-22.01 - user 03/22/2012 21:43:03.38.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.2030.1628 [GMT 2:00]
Running from: F:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-02-22 to 2012-03-22 )))))))))))))))))))))))))))))))
.
.
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\pdfMachine
2012-03-22 18:33 . 2012-03-22 18:35 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\pdfMachine
2012-03-22 18:26 . 2012-03-22 18:26 -------- d-----w- c:\program files\BCL Technologies
2012-03-03 19:31 . 2012-03-03 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 15:12 . 2010-03-19 10:03 2 --shatr- c:\windows\winstart.bat
2012-03-17 21:11 . 2012-03-15 13:39 335504 ----a-w- c:\windows\system32\drivers\TRUFOSALT.SYS.del
2012-03-03 19:31 . 2010-06-03 23:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 10:02 . 2011-05-15 11:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2006-03-02 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 08:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-11 16:54 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-07-08 07:41 . 2011-08-09 14:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-02_22.10.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-22 19:41 . 2012-03-22 19:41 16384 c:\windows\temp\Perflib_Perfdata_608.dat
+ 2012-03-22 20:00 . 2012-03-22 20:00 53248 c:\windows\temp\catchme.dll
+ 2012-03-22 18:33 . 2009-03-20 07:04 17408 c:\windows\system32\spool\drivers\w32x86\3\psapi.dll
+ 2010-03-11 17:32 . 2012-03-14 11:02 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 157472 c:\windows\system32\javaws.exe
- 2011-10-27 12:50 . 2011-10-03 03:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\javaw.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\java.exe
- 2010-03-11 18:44 . 2012-02-15 11:11 381632 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-11 18:44 . 2012-03-14 11:29 381632 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-11 12:16 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2012-03-03 19:32 . 2012-03-03 19:32 203776 c:\windows\Installer\45304b8.msi
+ 2012-03-03 19:31 . 2012-03-03 19:31 901120 c:\windows\Installer\45304a4.msi
+ 2010-03-11 17:32 . 2012-03-14 11:02 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2012-03-22 18:33 . 2009-08-13 21:55 1748992 c:\windows\system32\spool\drivers\w32x86\3\gdiplus.dll
+ 2009-08-14 15:14 . 2012-02-03 09:57 1859968 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-05 19:34 . 2012-03-05 19:34 5519872 c:\windows\Installer\426dd1.msp
+ 2010-03-18 21:51 . 2012-03-14 11:04 54215544 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESET GUI"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-17 16132608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
path=
backup=
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep 0 -k]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brs]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESET GUI]
2009-05-14 13:47 2029640 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-28 12:08 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hackmon]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-08-31 21:07 6394688 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 02:17 168448 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:11 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD10Serv]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-12-03 19:15 218408 ----a-w- e:\nice programs\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampa]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"RichVideo"=2 (0x2)
"iPod Service"=3 (0x3)
"TuneUp.UtilitiesSvc"=2 (0x2)
"MSCamSvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GAINWARD"=c:\program files\EXPERTool\TBPanel.exe /A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Games\\Heroes III\\Heroes3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Games\\Avatar\\bin\\Avatar.exe"=
"e:\\Games\\Avatar\\bin\\AvatarLauncher.exe"=
"e:\\Games\\ANNO 1404\\Anno4.exe"=
"e:\\Games\\ANNO 1404\\tools\\Anno4Web.exe"=
"e:\\Games\\C&C 4\\Data\\CNC4.game"=
"e:\\Games\\Street Fighter 4\\StreetFighterIV.exe"=
"e:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"e:\\Games\\The Hell\\TH.exe"=
"e:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Games\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"e:\\Nice Programs\\uTorrent\\uTorrent.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"e:\\Games\\SecondLifeViewer2\\SLVoice.exe"=
"e:\\Nice Programs\\Firestorm-Beta-Mesh\\SLVoice.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"e:\\Games\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [19/07/2011 16:14 100456]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [29/03/2010 14:33 30946]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/22 18:57];e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl [13/03/2010 11:58 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [30/06/2010 21:07 30576]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [07/07/2010 16:11 24416]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [24/02/2010 13:41 10064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S3 zlportio;zlportio;\??\e:\games\Ultrastar Deluxe\zlportio.sys --> e:\games\Ultrastar Deluxe\zlportio.sys [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [22/09/2010 14:37 160640]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [06/07/2010 13:55 1051968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-22 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
TCP: DhcpNameServer = 10.0.0.138
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} - hxxp://player.studio.3dvia.com/3DVIAPlayer-Installer.exe
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=88888&tt=aabctest8057a
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=KW_def&AF=88888&tt=aabctest8057a&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.id - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.hardId - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15365
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - orgnl
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=250112_ncl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - def
FF - user.js: extensions.BabylonToolbar_i.instlRef - na
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-22 22:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Settings]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-03-22 22:02:27
ComboFix-quarantined-files.txt 2012-03-22 20:02
ComboFix2.txt 2012-03-22 16:05
ComboFix3.txt 2012-03-22 14:55
ComboFix4.txt 2012-03-22 14:32
ComboFix5.txt 2012-03-22 19:34
.
Pre-Run: 11,573,800,960 bytes free
Post-Run: 11,616,444,416 bytes free
.
- - End Of File - - BF4BD2DDD4247FFB1A7F13B87E0A9053

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 29 March 2012 - 01:28 AM

Hi BugSniper,

Thanks for that information regarding ComboFix.

I didn't see an attachment at the end of this post. I have a feeling you weren't able to attach the file due to its size.

If that's the case, please submit the file to my submission channel:

Uploading File
Please visit this site & follow the instructions for uploading the file mentioned below.
Copy/paste the contents of the Code Box below into the Link to topic where this file was requested: box:
http://www.bleepingcomputer.com/forums/topic447300.html/page__view__findpost__p__2645961
Click Browse & navigate to where the ComboFix5.txt file is located.

I'd like to also have you check to ensure that your MSConfig settings are correct.

Please do the following:

Msconfig Normal Startup

  • Click on Start >> Run.
  • Type msconfig >> Then hit on enter.
  • A window will popup.
  • Click on General tab > Normal Startup > OK > Restart.

Please be sure to post back once the file has been submitted, as well as inform me of any changes (if any) that were made in MSConfig.

Warmest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 29 March 2012 - 05:23 AM

I've submitted you the file.
I've also made a normal startup in my MSCONFIG. (It was selective startup before).
Now, when I start my computer, massanger, itunes, my microsoft camera, quicktime, google update, unhackme (hackmon), apple, power dvd, other cyberlink software, adobe reader and a demo version of Hitman pro also start, I disabled these things in msconfig in the past so they won't slow my comp and now normal startup brought them again. I will be happy to disable them again..

I'm using RTHDCPL, ipoint, itype, HPWuSchud2, AdobeARM, NvMcTray, NvCpl, APSDaemon, jusched, QTTask, winampa, PDVD10Serv, LifeExp, dumprep 0 -k, HitmanPro35, brs, equi, ctfmon, hackmon, msnmsgr, GoogleUpdate right now.

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 29 March 2012 - 07:27 AM

Hi BugSniper,

Thanks for submitting that log file.

I've also made a normal startup in my MSCONFIG. (It was selective startup before).
Now, when I start my computer, massanger, itunes, my microsoft camera, quicktime, google update, unhackme (hackmon), apple, power dvd, other cyberlink software, adobe reader and a demo version of Hitman pro also start, I disabled these things in msconfig in the past so they won't slow my comp and now normal startup brought them again. I will be happy to disable them again..

I'm using RTHDCPL, ipoint, itype, HPWuSchud2, AdobeARM, NvMcTray, NvCpl, APSDaemon, jusched, QTTask, winampa, PDVD10Serv, LifeExp, dumprep 0 -k, HitmanPro35, brs, equi, ctfmon, hackmon, msnmsgr, GoogleUpdate right now.

I can remove these another way, so that you don't need to boot up using Select Start-up.

Please run ComboFix once more for me. If it prompts you to update, please allow it to do so, post the new log for me to review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 29 March 2012 - 08:44 AM

I'm using these programs I just didn't want them to upload each time I start my computer.

Alright, I downloaded the new Combofix version.
Then I have ran combofix again, it found the rootkit again, told me to reboot again and started working, there's the new log:



ComboFix 12-03-29.02 - user 03/29/2012 15:10:07.42.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1037.18.2030.1648 [GMT 2:00]
Running from: E:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 13:25 . 2012-03-29 13:25 -------- d-----w- c:\documents and settings\NetworkService\שולחן העבודה
2012-03-29 10:09 . 2012-03-29 10:09 -------- d-----w- c:\program files\HitmanPro
2012-03-29 10:09 . 2012-03-29 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-22 18:33 . 2012-03-22 18:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\pdfMachine
2012-03-22 18:33 . 2012-03-22 18:35 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\pdfMachine
2012-03-22 18:26 . 2012-03-22 18:26 -------- d-----w- c:\program files\BCL Technologies
2012-03-03 19:31 . 2012-03-03 19:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-22 15:12 . 2010-03-19 10:03 2 --shatr- c:\windows\winstart.bat
2012-03-17 21:11 . 2012-03-15 13:39 335504 ----a-w- c:\windows\system32\drivers\TRUFOSALT.SYS.del
2012-03-03 19:31 . 2010-06-03 23:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-21 10:02 . 2011-05-15 11:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:57 . 2006-03-02 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 08:19 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2010-03-11 16:54 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-07-08 07:41 . 2011-08-09 14:04 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-02_22.10.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-29 13:08 . 2012-03-29 13:08 16384 c:\windows\temp\Perflib_Perfdata_63c.dat
+ 2012-03-29 13:27 . 2012-03-29 13:27 53248 c:\windows\temp\catchme.dll
+ 2012-03-22 18:33 . 2009-03-20 07:04 17408 c:\windows\system32\spool\drivers\w32x86\3\psapi.dll
- 2011-12-14 13:35 . 2011-12-14 13:35 34632 c:\windows\Installer\{90120000-0020-040D-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-03-29 12:27 . 2012-03-29 12:27 34632 c:\windows\Installer\{90120000-0020-040D-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 23040 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 61440 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 27136 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 11264 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 86016 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 12288 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-26 09:43 . 2009-02-26 09:43 71520 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\XL12CNVP.DLL
+ 2009-02-26 08:45 . 2009-02-26 08:45 20808 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\WRD12EXE.EXE
+ 2009-02-26 04:06 . 2009-02-26 04:06 16712 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\PXBPROXY.DLL
+ 2009-02-26 04:06 . 2009-02-26 04:06 68488 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\PXBCOM.EXE
- 2010-03-11 17:32 . 2012-02-15 11:01 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 4096 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2011-10-27 12:50 . 2011-10-03 03:06 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 157472 c:\windows\system32\javaws.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\javaw.exe
+ 2012-03-03 19:31 . 2012-03-03 19:31 149280 c:\windows\system32\java.exe
- 2010-03-11 18:44 . 2012-02-15 11:11 381632 c:\windows\system32\FNTCACHE.DAT
+ 2010-03-11 18:44 . 2012-03-14 11:29 381632 c:\windows\system32\FNTCACHE.DAT
+ 2011-08-11 12:16 . 2012-01-09 16:20 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2012-03-03 19:32 . 2012-03-03 19:32 203776 c:\windows\Installer\45304b8.msi
+ 2012-03-03 19:31 . 2012-03-03 19:31 901120 c:\windows\Installer\45304a4.msi
+ 2010-03-11 17:32 . 2012-03-14 11:02 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 409600 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 286720 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 249856 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 794624 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 135168 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-03-11 17:32 . 2012-02-15 11:01 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2010-03-11 17:32 . 2012-03-14 11:02 593920 c:\windows\Installer\{9011040D-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-02-26 08:45 . 2009-02-26 08:45 509256 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\WRD12CVR.DLL
+ 2009-02-25 13:27 . 2009-02-25 13:27 843680 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\OICE.EXE
+ 2009-02-26 08:07 . 2009-02-26 08:07 395624 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6612\MOC.EXE
+ 2012-03-22 18:33 . 2009-08-13 21:55 1748992 c:\windows\system32\spool\drivers\w32x86\3\gdiplus.dll
+ 2009-08-14 15:14 . 2012-02-03 09:57 1859968 c:\windows\system32\dllcache\win32k.sys
+ 2012-03-05 19:34 . 2012-03-05 19:34 5519872 c:\windows\Installer\426dd1.msp
+ 2009-06-12 16:15 . 2009-06-12 16:15 1661792 c:\windows\Installer\$PatchCache$\Managed\000021090200D0400000000000F01FEC\12.0.6514\OGL.DLL
+ 2010-03-18 21:51 . 2012-03-14 11:04 54215544 c:\windows\system32\MRT.exe
+ 2011-09-15 16:36 . 2011-09-15 16:36 38327296 c:\windows\Installer\609c7.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESET GUI"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"UnHackMe Monitor"="f:\nice programs\UnHackMe\hackmon.exe" [2010-07-07 594200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-17 16132608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"WinampAgent"="e:\nice programs\Winamp\winampa.exe" [2010-01-13 37888]
"RemoteControl10"="e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-03-13 75048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
path=
backup=
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dumprep 0 -k]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brs]
2010-03-13 09:58 75048 ------w- c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hackmon]
2010-07-07 07:14 594200 ----a-w- f:\nice programs\UnHackMe\hackmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeExp]
2010-05-20 12:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 02:17 168448 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD10Serv]
2010-02-02 21:08 87336 ------w- e:\nice programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask]
2011-10-24 12:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDRShortCut]
2008-12-03 19:15 218408 ----a-w- e:\nice programs\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampa]
2010-01-13 22:44 37888 ----a-w- e:\nice programs\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GAINWARD"=c:\program files\EXPERTool\TBPanel.exe /A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Games\\Heroes III\\Heroes3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Games\\Avatar\\bin\\Avatar.exe"=
"e:\\Games\\Avatar\\bin\\AvatarLauncher.exe"=
"e:\\Games\\ANNO 1404\\Anno4.exe"=
"e:\\Games\\ANNO 1404\\tools\\Anno4Web.exe"=
"e:\\Games\\C&C 4\\Data\\CNC4.game"=
"e:\\Games\\Street Fighter 4\\StreetFighterIV.exe"=
"e:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"e:\\Games\\The Hell\\TH.exe"=
"e:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"e:\\Games\\StarCraft II\\StarCraft II.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Games\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"e:\\Nice Programs\\uTorrent\\uTorrent.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base16939\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base17326\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18092\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base18574\\SC2.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"e:\\Games\\SecondLifeViewer2\\SLVoice.exe"=
"e:\\Nice Programs\\Firestorm-Beta-Mesh\\SLVoice.exe"=
"e:\\Games\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"e:\\Games\\StarCraft II\\Versions\\Base21029\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [29/03/2012 12:09 90952]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [06/07/2010 13:55 1051968]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [19/07/2011 16:14 100456]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;e:\nice programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [24/02/2010 13:41 10064]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/07/22 18:57];e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl [13/03/2010 11:58 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [30/06/2010 21:07 30576]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [29/03/2010 14:33 30946]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [07/07/2010 16:11 24416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S3 zlportio;zlportio;\??\e:\games\Ultrastar Deluxe\zlportio.sys --> e:\games\Ultrastar Deluxe\zlportio.sys [?]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [22/09/2010 14:37 160640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-28 12:08]
.
2012-03-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
TCP: DhcpNameServer = 10.0.0.138
DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} - hxxp://www.tapuz.co.il/irc/main/launcher.cab
DPF: {F705A1E9-0E4C-4F32-A647-2DE40809969A} - hxxp://player.studio.3dvia.com/3DVIAPlayer-Installer.exe
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ow7hs3g0.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar_i.id - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.hardId - a8c74c460000000000000015b2112011
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15365
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:38
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - orgnl
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - tt=250112_ncl
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - def
FF - user.js: extensions.BabylonToolbar_i.instlRef - na
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-29 15:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\e:\nice programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\dfrg.msc"
"File2"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File3"="c:\\WINDOWS\\system32\\devmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"
.
[HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Settings]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-29 15:30:05
ComboFix-quarantined-files.txt 2012-03-29 13:29
ComboFix2.txt 2012-03-25 10:22
ComboFix3.txt 2012-03-24 18:39
ComboFix4.txt 2012-03-24 00:28
ComboFix5.txt 2012-03-29 12:55
.
Pre-Run: 11,671,252,992 bytes free
Post-Run: 11,781,042,176 bytes free
.
- - End Of File - - FF31B9B7022E0F25D5C9EC703F3ADA7C

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 30 March 2012 - 08:18 AM

Hi BugSniper!

I'm using these programs I just didn't want them to upload each time I start my computer.

Okay, I was just going to remove the entries from the registry that tell your computer to launch them on start-up, but I'm going to leave them alone, and allow you to continue using the Selective Start-Up. It seems to be working well for you. :)

I need to have you run a script with OTL, so that I can find a clean copy of an infected file.

Run this OTL scan for me:

OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the Posted Image box Cope & Paste the following:
    msconfig
    safebootminimal
    drivers32
    netsvcs
    /md5start
    volsnap.sys
    atapi.sys
    a347bus.sys/md5stop
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 30 March 2012 - 09:42 AM

There's the scan results...


OTL logfile created on: 30/03/2012 17:30:50 - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

1.98 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 49.09% Memory free
3.83 Gb Paging File | 3.01 Gb Available in Paging File | 78.44% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 10.98 Gb Free Space | 2.36% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 1.94 Gb Free Space | 0.28% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 2.47 Gb Free Space | 0.83% Space Free | Partition Type: NTFS

Computer Name: USER-907F5FD299 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

MsConfig - Services: "iPod Service"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "Apple Mobile Device"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AdobeARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: brs - hkey= - key= - C:\Program Files\Cyberlink\Shared files\brs.exe (cyberlink)
MsConfig - StartUpReg: dumprep 0 -k - hkey= - key= - File not found
MsConfig - StartUpReg: hackmon - hkey= - key= - F:\Nice Programs\UnHackMe\hackmon.exe (Greatis Software)
MsConfig - StartUpReg: LifeExp - hkey= - key= - C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
MsConfig - StartUpReg: MSConfig - hkey= - key= - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PDVD10Serv - hkey= - key= - E:\Nice Programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig - StartUpReg: qttask - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: UpdatePDRShortCut - hkey= - key= - E:\Nice Programs\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: winampa - hkey= - key= - E:\Nice Programs\Winamp\winampa.exe (Nullsoft, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Packed With Joy !)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.divx - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.vp60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/29 18:51:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/29 15:55:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/29 15:55:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/29 15:55:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/29 15:55:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\HitmanPro
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/03/22 21:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\pdfMachine
[2012/03/22 21:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\pdfMachine
[2012/03/22 21:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\BCL Technologies
[2012/03/22 17:55:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/15 16:39:44 | 000,335,504 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/15 16:14:48 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/03 22:31:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 22:31:45 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 22:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 22:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2012/03/30 17:29:41 | 000,003,227 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2012/03/30 16:57:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
[2012/03/30 13:57:00 | 000,000,952 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
[2012/03/30 12:30:08 | 000,666,322 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/30 12:30:08 | 000,538,024 | ---- | M] () -- C:\WINDOWS\System32\perfh00d.dat
[2012/03/30 12:30:08 | 000,146,728 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/30 12:30:08 | 000,146,676 | ---- | M] () -- C:\WINDOWS\System32\perfc00d.dat
[2012/03/30 12:25:58 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/30 12:25:30 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/03/30 12:25:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/29 13:03:42 | 000,000,293 | -HS- | M] () -- C:\boot.ini
[2012/03/27 19:09:16 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/03/22 21:07:44 | 001,468,466 | ---- | M] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/22 18:12:23 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2012/03/22 18:12:22 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/22 18:12:22 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2012/03/22 17:13:28 | 000,000,134 | ---- | M] () -- C:\WINDOWS\rootkitno.ini
[2012/03/19 23:11:41 | 000,211,968 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/18 00:11:28 | 000,335,504 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/14 14:29:37 | 000,381,632 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 14:04:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/06 16:11:59 | 000,000,284 | ---- | M] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/05 23:45:52 | 049,454,830 | ---- | M] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 23:22:07 | 000,127,359 | ---- | M] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/03/05 21:27:12 | 000,060,945 | ---- | M] () -- C:\Documents and Settings\user\My Documents\PDR.dmp
[2012/03/05 16:49:56 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/03 22:31:28 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 22:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 22:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/03/03 22:31:28 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 22:31:27 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

========== Files Created - No Company Name ==========

[2012/03/29 15:55:20 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/29 15:55:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/29 15:55:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/29 15:55:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/29 15:55:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/24 18:53:00 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/22 21:07:43 | 001,468,466 | ---- | C] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/05 23:22:42 | 049,454,830 | ---- | C] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 20:35:59 | 000,127,359 | ---- | C] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/02/15 11:19:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/01 23:55:34 | 000,421,730 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\census.cache
[2011/09/01 23:55:30 | 000,234,796 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\ars.cache
[2011/09/01 20:41:01 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2011/08/09 17:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/07/19 17:04:50 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/19 17:04:47 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/19 17:04:47 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/02/15 02:04:50 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/12/23 08:56:49 | 000,007,282 | ---- | C] () -- C:\WINDOWS\cadx2.ini
[2010/11/14 22:55:49 | 000,494,128 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/29 21:07:21 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ideq32.ini
[2010/09/29 21:39:32 | 000,000,565 | ---- | C] () -- C:\Documents and Settings\user\Application Data\myMPQ.ini
[2010/09/22 15:37:36 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2010/09/22 15:35:43 | 000,339,456 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2010/07/27 13:26:56 | 000,078,796 | ---- | C] () -- C:\WINDOWS\hpfins05.dat
[2010/07/27 13:26:56 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat
[2010/07/27 13:26:41 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2010/07/27 13:26:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/07/24 15:00:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoNow.INI
[2010/07/15 17:11:48 | 001,185,871 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/07/15 17:11:48 | 000,045,669 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/05/31 01:28:36 | 000,211,968 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/26 01:03:51 | 000,000,134 | ---- | C] () -- C:\WINDOWS\rootkitno.ini
[2010/05/20 17:20:12 | 000,000,014 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2010/05/12 12:44:12 | 000,086,528 | ---- | C] () -- C:\WINDOWS\bnetunin.exe
[2010/05/12 12:21:01 | 000,000,401 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/04/29 15:10:08 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\psfind.dll
[2010/04/23 10:11:45 | 000,000,083 | ---- | C] () -- C:\WINDOWS\wwpEnglish.INI
[2010/04/14 20:34:18 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2010/04/14 20:34:17 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

========== Custom Scans ==========

< MD5 for: ATAPI.SYS >
[2006/03/02 15:00:00 | 018,773,911 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/03/19 00:59:40 | 023,886,227 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/03/19 00:59:40 | 023,886,227 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 21:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 21:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 21:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/03/02 15:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: VOLSNAP.SYS >
[2006/03/02 15:00:00 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=75554B019CBBD7A973F670D7DC53BE8F -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys
[2008/04/14 04:52:09 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=77C942F961ECA976CA12B12E36F3505A -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/14 04:52:09 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=77C942F961ECA976CA12B12E36F3505A -- C:\WINDOWS\system32\drivers\volsnap.sys

< End of report >

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:56 PM

Posted 31 March 2012 - 07:20 AM

Whoops. There was a typo in my script.

Please run these instructions for me now:

OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the Posted Image box Cope & Paste the following:
    msconfig
    /md5start
    a347bus.sys
    /md5stop
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 BugSniper

BugSniper
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 31 March 2012 - 12:30 PM

Ah.. mistakes happen all the time. Help my computer to breath freely again..
Here is the log you asked, hoping you can help me finish this rootkit off soon.


OTL logfile created on: 31/03/2012 20:16:39 - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040D | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

1.98 Gb Total Physical Memory | 1.23 Gb Available Physical Memory | 62.22% Memory free
3.83 Gb Paging File | 3.30 Gb Available in Paging File | 86.03% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 10.90 Gb Free Space | 2.34% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 1.33 Gb Free Space | 0.19% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 2.47 Gb Free Space | 0.83% Space Free | Partition Type: NTFS

Computer Name: USER-907F5FD299 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

MsConfig - Services: "iPod Service"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "Apple Mobile Device"
MsConfig - Services: "HitmanProScheduler"
MsConfig - Services: "RichVideo"
MsConfig - Services: "MSCamSvc"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "TuneUp.Defrag"
MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "TuneUp.UtilitiesSvc"
MsConfig - Services: "gusvc"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AdobeARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: APSDaemon - hkey= - key= - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
MsConfig - StartUpReg: BDRegion - hkey= - key= - C:\Program Files\Cyberlink\Shared files\brs.exe (cyberlink)
MsConfig - StartUpReg: brs - hkey= - key= - C:\Program Files\Cyberlink\Shared files\brs.exe (cyberlink)
MsConfig - StartUpReg: dumprep 0 -k - hkey= - key= - File not found
MsConfig - StartUpReg: hackmon - hkey= - key= - F:\Nice Programs\UnHackMe\hackmon.exe (Greatis Software)
MsConfig - StartUpReg: LifeCam - hkey= - key= - C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
MsConfig - StartUpReg: LifeExp - hkey= - key= - C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
MsConfig - StartUpReg: MSConfig - hkey= - key= - C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PDVD10Serv - hkey= - key= - E:\Nice Programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig - StartUpReg: qttask - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RemoteControl10 - hkey= - key= - E:\Nice Programs\PowerDVD10\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: UnHackMe Monitor - hkey= - key= - F:\Nice Programs\UnHackMe\hackmon.exe (Greatis Software)
MsConfig - StartUpReg: UpdatePDRShortCut - hkey= - key= - E:\Nice Programs\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: winampa - hkey= - key= - E:\Nice Programs\Winamp\winampa.exe (Nullsoft, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

========== Files/Folders - Created Within 30 Days ==========

[2012/03/30 18:44:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\.igpm
[2012/03/30 18:43:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\PeaceMaker
[2012/03/30 18:43:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\PeaceMaker
[2012/03/29 18:51:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/29 15:55:20 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/03/29 15:55:20 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/03/29 15:55:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/03/29 15:55:20 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\HitmanPro
[2012/03/29 13:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/03/22 21:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\pdfMachine
[2012/03/22 21:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\pdfMachine
[2012/03/22 21:26:36 | 000,000,000 | ---D | C] -- C:\Program Files\BCL Technologies
[2012/03/22 17:55:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/15 16:39:44 | 000,335,504 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/15 16:14:48 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/03 22:31:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 22:31:45 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 22:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 22:31:45 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2012/03/31 20:15:40 | 000,003,374 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2012/03/31 19:57:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003UA.job
[2012/03/31 13:57:00 | 000,000,952 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1177238915-725345543-1003Core.job
[2012/03/31 13:32:13 | 000,666,322 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/31 13:32:13 | 000,538,024 | ---- | M] () -- C:\WINDOWS\System32\perfh00d.dat
[2012/03/31 13:32:13 | 000,146,676 | ---- | M] () -- C:\WINDOWS\System32\perfc00d.dat
[2012/03/31 13:32:12 | 000,146,728 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/31 13:28:08 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/31 13:27:42 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/03/31 13:27:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/30 17:37:42 | 000,000,293 | -HS- | M] () -- C:\boot.ini
[2012/03/27 19:09:16 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/03/22 21:07:44 | 001,468,466 | ---- | M] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/22 18:12:23 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2012/03/22 18:12:22 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/22 18:12:22 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2012/03/22 17:13:28 | 000,000,134 | ---- | M] () -- C:\WINDOWS\rootkitno.ini
[2012/03/19 23:11:41 | 000,211,968 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/18 00:11:28 | 000,335,504 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TRUFOSALT.SYS.del
[2012/03/14 14:29:37 | 000,381,632 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 14:04:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/06 16:11:59 | 000,000,284 | ---- | M] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/05 23:45:52 | 049,454,830 | ---- | M] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 23:22:07 | 000,127,359 | ---- | M] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/03/05 21:27:12 | 000,060,945 | ---- | M] () -- C:\Documents and Settings\user\My Documents\PDR.dmp
[2012/03/05 16:49:56 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/03/03 22:31:28 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/03 22:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/03 22:31:28 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/03/03 22:31:28 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/03 22:31:27 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

========== Files Created - No Company Name ==========

[2012/03/29 15:55:20 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/03/29 15:55:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/03/29 15:55:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/03/29 15:55:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/03/29 15:55:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/03/24 18:53:00 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\user\שולחן העבודה\הפקולטה למדעי החברה - לוח הודעות.url
[2012/03/22 21:07:43 | 001,468,466 | ---- | C] () -- C:\Documents and Settings\user\My Documents\מערכת שעות19.pdf
[2012/03/05 23:22:42 | 049,454,830 | ---- | C] () -- C:\Documents and Settings\user\My Documents\תיעוד ההפעלה.wmv
[2012/03/05 20:35:59 | 000,127,359 | ---- | C] () -- C:\Documents and Settings\user\My Documents\הכל ביחד.pds
[2012/02/15 11:19:13 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/01 23:55:34 | 000,421,730 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\census.cache
[2011/09/01 23:55:30 | 000,234,796 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\ars.cache
[2011/09/01 20:41:01 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2011/08/09 17:04:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/07/19 17:04:50 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/19 17:04:47 | 000,252,080 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/19 17:04:47 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/02/15 02:04:50 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/12/23 08:56:49 | 000,007,282 | ---- | C] () -- C:\WINDOWS\cadx2.ini
[2010/11/14 22:55:49 | 000,494,128 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/29 21:07:21 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ideq32.ini
[2010/09/29 21:39:32 | 000,000,565 | ---- | C] () -- C:\Documents and Settings\user\Application Data\myMPQ.ini
[2010/09/22 15:37:36 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2010/09/22 15:35:43 | 000,339,456 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2010/07/27 13:26:56 | 000,078,796 | ---- | C] () -- C:\WINDOWS\hpfins05.dat
[2010/07/27 13:26:56 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat
[2010/07/27 13:26:41 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2010/07/27 13:26:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/07/24 15:00:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoNow.INI
[2010/07/15 17:11:48 | 001,185,871 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2010/07/15 17:11:48 | 000,045,669 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2010/05/31 01:28:36 | 000,211,968 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/26 01:03:51 | 000,000,134 | ---- | C] () -- C:\WINDOWS\rootkitno.ini
[2010/05/20 17:20:12 | 000,000,014 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2010/05/12 12:44:12 | 000,086,528 | ---- | C] () -- C:\WINDOWS\bnetunin.exe
[2010/05/12 12:21:01 | 000,000,401 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/04/29 15:10:08 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\psfind.dll
[2010/04/23 10:11:45 | 000,000,083 | ---- | C] () -- C:\WINDOWS\wwpEnglish.INI
[2010/04/14 20:34:18 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2010/04/14 20:34:17 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys

========== Custom Scans ==========

< MD5 for: A347BUS.SYS >
[2004/04/30 10:37:02 | 000,160,640 | ---- | M] ( ) MD5=1F61CACACB521215F39061789147968C -- C:\WINDOWS\system32\drivers\a347bus.sys

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users