View Full Version : HJT log (Resolved)
HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:35, on 25/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {EE31AE88-AE7A-4C52-9330-A0A3B3468C02} - C:\WINDOWS\system32\config\systemprofile\Application Data\pkz.ini
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: BullGuard LiveUpdate (bglivesvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc (bgrasvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 8472 bytes
other info:
have installed bullgaurd. it found 50+ infections, all were removed, but the odd one still apears after another scan
also installed spybot S&D. 50+ infections on first scan, all fixed but some are still appearing on further scans
no scans or anything else has been done since the HJT log
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Click Link >>> HERE <<< Link (http://www.neoshine.co.uk/mina/Downloads/TTWipe.bat) and select "save as" and save it to your desktop
Double click TTWipe.bat
Reboot your machine for the changes to take effect.
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
Please Download GMER to your desktop
Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
Teatimer has been disabled.
RSIT log
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-27 19:37:50
Microsoft Windows XP Professional Service Pack 3
System drive C: has 183 GB (77%) free of 238 GB
Total RAM: 2047 MB (70% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:53, on 27/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\temp downloaded stuff\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {EE31AE88-AE7A-4C52-9330-A0A3B3468C02} - C:\WINDOWS\system32\config\systemprofile\Application Data\pkz.ini
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: BullGuard LiveUpdate (bglivesvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc (bgrasvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 8158 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53}]
C:\WINDOWS\system32\tajf83ikdmf.dll - C:\WINDOWS\system32\tajf83ikdmf.dll [2009-08-23 15000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask.com Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-04-02 809864]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2008-05-02 15872]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-02-25 37888]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-02-26 16125440]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-04-23 228088]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-23 304464]
"PAC7302_Monitor"=C:\WINDOWS\PixArt\PAC7302\Monitor.exe [2006-11-03 319488]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe []
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe []
"Microsoft Driver Setup"=C:\WINDOWS\msdrive32.exe []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Microsoft Driver Setup"=C:\WINDOWS\msdrive32.exe []
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-08-12 21741864]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"DU Meter"=C:\Program Files\DU Meter\DUMeter.exe [2009-08-22 2645528]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2009-08-23 304464]
"AntiSpyware Service"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zrpyfpeew.exe []
"Windows System Recover!"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe [2009-08-26 22532]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\12CFG214-K641-11SF-N33P]
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1077\vslmq.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware Service]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vezqjg.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qlajesuhelehiz]
C:\WINDOWS\ukucitaqunuhog.dll,e []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-26 148888]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-04-08 251240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows System Recover!]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\system.exe [2009-08-26 22532]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\kill.bat []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\mel.bat183242.bat []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
avgrsstx.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll [2009-08-23 15000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
nscf31.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bglivesvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bgmainsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableRegistryTools"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableStatusMessages"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoResolveTrack"=1
"NoResolveSearch"=1
"NoInstrumentation"=1
"NoStartMenuMFUprogramsList"=1
"NoFolderOptions"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\aoesetup.exe /autorun
shell\directx\command - D:\DirectX\dxsetup.exe
shell\dplay\command - D:\DirectX\dplay61a.exe
shell\dxdiag\command - D:\goodies\ar40eng.exe
shell\dxinfo\command - D:\goodies\DirectX\dxinfo.exe
shell\dxtest\command - D:\DirectX\dxdiag.exe
shell\dxtool\command - D:\goodies\DirectX\dxtool.exe
shell\log\command - D:\goodies\machine\machine.exe -l
shell\machine\command - D:\goodies\machine\machine.exe
shell\setup\command - D:\aoesetup.exe /autorun
shell\zone\command - D:\goodies\mszone\zoneA600.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{669eec44-1300-11de-9533-001bfc4adb54}]
shell\autorun\command - K:\RECYCLER\autorun.exe
shell\open\command - K:\RECYCLER\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5b1da9e-3d86-11de-957b-001bfc4adb54}]
shell\AutoRun\command - K:\InstallTomTomHOME.exe
======List of files/folders created in the last 1 months======
2009-08-27 19:37:50 ----D---- C:\rsit
2009-08-25 12:36:27 ----D---- C:\Program Files\Trend Micro
2009-08-24 18:02:41 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-23 23:07:51 ----D---- C:\Program Files\CCleaner
2009-08-23 22:18:18 ----A---- C:\WINDOWS\wininit.ini
2009-08-23 22:06:35 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-23 22:06:35 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 17:39:57 ----A---- C:\AILog.txt
2009-08-23 17:22:51 ----D---- C:\Program Files\Microsoft Games
2009-08-23 16:57:38 ----D---- C:\Program Files\Your Company Name
2009-08-23 13:46:49 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-08-23 10:09:31 ----D---- C:\WINDOWS\pss
2009-08-22 20:27:31 ----D---- C:\Documents and Settings\All Users\Application Data\BullGuard
2009-08-22 20:27:29 ----D---- C:\Documents and Settings\Administrator\Application Data\BullGuard
2009-08-22 19:34:53 ----D---- C:\Program Files\Alwil Software
2009-08-22 18:53:25 ----D---- C:\Program Files\AVG
2009-08-22 18:30:57 ----SHD---- C:\WINDOWS\system32\lowsec
2009-08-22 18:30:54 ----A---- C:\WINDOWS\system32\tajf83ikdmf.dll
2009-08-22 18:30:48 ----ASH---- C:\WINDOWS\E88D4.exe
2009-08-22 18:21:58 ----D---- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2009-08-22 18:21:56 ----D---- C:\Program Files\DU Meter
2009-08-22 18:04:28 ----D---- C:\Program Files\KONAMI
2009-08-03 19:56:22 ----D---- C:\Program Files\Microsoft AutoRoute
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SGRegister.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\Sgdt32.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng90.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng80.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng70.dll
2009-08-01 16:47:50 ----A---- C:\WINDOWS\system32\SdoEng100.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\Sgcom32.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\SdoEng110.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\Sdoeng.dll
2009-08-01 16:47:48 ----A---- C:\WINDOWS\system32\SDOApp.dll
2009-08-01 16:47:46 ----A---- C:\WINDOWS\system32\SdoEng120.dll
2009-08-01 16:47:21 ----D---- C:\Program Files\Clik
======List of files/folders modified in the last 1 months======
2009-08-27 19:37:06 ----D---- C:\Program Files\Mozilla Firefox
2009-08-27 19:34:49 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-08-27 19:33:22 ----D---- C:\WINDOWS\Temp
2009-08-27 19:31:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-27 19:20:08 ----D---- C:\WINDOWS\system32
2009-08-27 19:11:04 ----D---- C:\Documents and Settings\Administrator\Application Data\skypePM
2009-08-26 18:21:29 ----D---- C:\WINDOWS\Prefetch
2009-08-25 12:36:27 ----RD---- C:\Program Files
2009-08-24 18:02:41 ----D---- C:\WINDOWS
2009-08-24 17:39:31 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-08-24 17:36:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-23 23:08:53 ----D---- C:\WINDOWS\Debug
2009-08-23 17:23:59 ----RSD---- C:\WINDOWS\Fonts
2009-08-23 17:20:30 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-23 16:57:48 ----SHD---- C:\WINDOWS\Installer
2009-08-23 14:14:59 ----SHD---- C:\RECYCLER
2009-08-23 13:21:30 ----SHD---- C:\WINDOWS\CSC
2009-08-23 10:20:22 ----D---- C:\WINDOWS\system32\drivers
2009-08-23 10:10:42 ----SH---- C:\boot.ini
2009-08-23 10:10:42 ----A---- C:\WINDOWS\win.ini
2009-08-23 10:10:42 ----A---- C:\WINDOWS\system.ini
2009-08-22 20:27:13 ----HD---- C:\WINDOWS\inf
2009-08-22 19:37:10 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-08-22 19:35:10 ----D---- C:\WINDOWS\system32\config
2009-08-22 18:53:24 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-03 19:56:21 ----D---- C:\Program Files\Microsoft Office
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2006-02-25 16877]
R2 bdfilespy;BullGuard File Monitor Driver; \??\C:\WINDOWS\system32\drivers\BdFileSpy.sys []
R2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2008-05-29 62848]
R3 afw;Agnitum firewall driver; C:\WINDOWS\system32\DRIVERS\afw.sys [2009-03-23 31128]
R3 afwcore;afwcore; C:\WINDOWS\system32\DRIVERS\afwcore.sys [2009-03-23 257304]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-01 4484608]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-12-30 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-12-30 22016]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2008-04-14 5888]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-24 30336]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-02-26 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 PAC7302;PAC7302 VGA USB Camera; C:\WINDOWS\system32\DRIVERS\PAC7302.SYS [2007-06-14 457856]
S3 profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys []
S3 RimUsb;BlackBerry Device; C:\WINDOWS\System32\Drivers\RimUsb.sys [2006-11-07 22272]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2008-04-14 96512]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 bglivesvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2009-04-06 300368]
R2 bgmainsvc;BullGuard Main Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 bsfilescan;BullGuard File Scan Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 bsfire;BullGuard Firewall Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 DUMeterSvc;DU Meter Service; C:\Program Files\DU Meter\DUMeterSvc.exe [2009-08-22 1386008]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-26 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-04-08 92008]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 bsmailproxy;BullGuard Email Monitoring Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-04-22 359160]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-04-23 310008]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-04-23 166648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 bgrasvc;BGRaSvc; C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [2009-06-01 79184]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-04-22 88824]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-04-23 1010424]
-----------------EOF-----------------
RSIT info
info.txt logfile of random's system information tool 1.06 2009-08-27 19:37:54
======Uninstall list======
-->C:\Program Files\InstallShield Installation Information\{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}\setup.exe -runfromtemp -l0x0009 -removeonly
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
-->MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Audacity 1.3.3 (Unicode)-->"C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
BitLord 1.1-->C:\Program Files\BitLord\uninst.exe
BlackBerry Desktop Software 4.2.2-->MsiExec.exe /i{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
BlackBerry Desktop Software 4.2.2-->MsiExec.exe /I{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D}
Brother P-touch Editor 5.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DF9A6075-9308-4572-8932-A4316243C4D9}
BullGuard 8.5-->C:\Program Files\BullGuard Ltd\BullGuard\uninst.exe
Cable-Mate 3.3-->C:\WINDOWS\SSEUninstaller.exe C:\Program Files\Cable-Mate 3.3\SSEun.dat
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Clik 3-->C:\PROGRA~1\Clik\BM\UNWISE.EXE C:\PROGRA~1\Clik\BM\INSTALL.LOG
Contractor Pro-->MsiExec.exe /I{60C18308-6FD1-47AF-8185-B4AFEF2E24EF}
Crystal reports 9.0 for Contractor Pro-->MsiExec.exe /X{5C57D058-8EEE-4C8D-81A9-1D8D11F4A48F}
DU Meter-->"C:\Program Files\DU Meter\unins000.exe"
EAGLE 5.6.0-->cmd.exe /c start "EAGLE Uninstaller" /min "C:\Program Files\EAGLE-5.6.0\bin\uninstall.bat" C:\Program Files\EAGLE-5.6.0\bin
EasyCert-->"C:\Program Files\EasyCert\uninstall.exe"
File Scavenger 3.2 (English)-->"C:\Program Files\File Scavenger 3.2\unins000.exe"
FileZilla Client 3.2.6-->C:\Program Files\FileZilla FTP Client\uninstall.exe
GetDataBack for NTFS-->"C:\Program Files\Runtime Software\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack for NTFS\install.log" -u
Grand Theft Auto Vice City-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
GTA San Andreas-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
LAME v3.98.2 for Audacity-->"C:\Program Files\Lame for Audacity\unins000.exe"
MetalGearSolid2 Substance-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2184D9EA-4E5B-43FD-914E-4563CF028C94}\setup.exe" -l0x9
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Age of Empires II-->"C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft AutoRoute 2005-->MsiExec.exe /I{67E4EE98-59F4-4220-89A6-A20AF5BEC689}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
ML-1510_700 Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC411126-8CDE-4B7C-950F-4197C931B0C8}\Setup.exe"
Mozilla Firefox (3.5.2)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PDF Editor 2-->C:\WINDOWS\cadkasdeinst01e.exe "C:\Program Files\PDF Editor 2\"
Philips Product Selector 1.0.2-->C:\Program Files\InstallShield Installation Information\{BC35DF5E-7682-40F9-8FF0-737D8C568F7D}\setup.exe -runfromtemp -l0x0409
PhotoLux-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E670CC9A-7CD2-4BB8-9485-6324EFAC137C}\setup.exe" -l0x9 anything -uninst
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Roxio Media Manager-->MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}
Samsung CLX-216x Series-->C:\Program Files\Samsung\Samsung CLX-216x Series\Install\Setup.exe /R
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Thermal Analysis Tool-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B2C675E-8040-431B-99C4-137DF4FBF75A}\setup.exe" -l0x9 -removeonly
Thorn - Product Explorer 6.0-->MsiExec.exe /I{B8EE8264-238C-430A-9D5F-DB9139B09364}
TomTom HOME 2.6.2.1586-->C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
TomTom HOME Visual Studio Merge Modules-->MsiExec.exe /I{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}
Tysoft PDF (novaPDF 6.2 printer)-->"C:\Program Files\Softland\novaPDF 6\unins000.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Zumtobel - Product Explorer 6.0-->MsiExec.exe /I{4F6F5C1E-F109-4A58-8F43-9A1039CDAFC9}
Hosts File Missing
Securitycenter WMI appears to be broken
======System event log======
Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001BFC4ADB54. The IP address being used is 169.254.116.103.
Record Number: 25
Source Name: Dhcp
Time Written: 20090307162705.000000+000
Event Type: warning
User:
Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 24
Source Name: Dhcp
Time Written: 20090307162659.000000+000
Event Type: warning
User:
Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 23
Source Name: Dhcp
Time Written: 20090307162630.000000+000
Event Type: warning
User:
Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 001BFC4ADB54. The IP address being used is 169.254.116.103.
Record Number: 15
Source Name: Dhcp
Time Written: 20090307161019.000000+000
Event Type: warning
User:
Computer Name: HOME
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001BFC4ADB54. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 10
Source Name: Dhcp
Time Written: 20090304210332.000000+000
Event Type: warning
User:
=====Application event log=====
Computer Name: HOME
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 1795
Source Name: EventSystem
Time Written: 20090823184334.000000+060
Event Type: error
User:
Computer Name: HOME
Event Code: 1001
Message:
Record Number: 1783
Source Name: MsiInstaller
Time Written: 20090823165714.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 1004
Message:
Record Number: 1782
Source Name: MsiInstaller
Time Written: 20090823165714.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: HOME
Event Code: 8193
Message: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
Record Number: 1773
Source Name: VSS
Time Written: 20090823132027.000000+060
Event Type: error
User:
Computer Name: HOME
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 1772
Source Name: EventSystem
Time Written: 20090823132027.000000+060
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
"PROCESSOR_REVISION"=4303
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
-----------------EOF-----------------
i installed GMER, and opened it. it does say about rootkit activity, but after a few mins, i get a blue screen
aujasnkj.sys
attempt to write to read only memory
technical info
0x000000BE (0XF747B0CB4, 0X0A3D8161, 0XB50C7B74, 0X0000000B)
aujasnkj.sys - Address B4FE3670 BASE AT B4FD8000 DATESTAMP 4A891380
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
unable to do combofix due to bluescreen. it goes as far is scanning, thn blue screen
error message is something attempted to write to read only. no names with this one
tech info:
STOP: 0X000000BE (0X804E13A7, 0X004E1161, 0XF78DECD0, 0X0000000B)
malwarebytes log #1
Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3
27/08/2009 22:35:40
mbam-log-2009-08-27 (22-35-40).txt
Scan type: Full Scan (C:\|I:\|)
Objects scanned: 308923
Time elapsed: 22 minute(s), 45 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 9
Registry Data Items Infected: 8
Folders Infected: 3
Files Infected: 41
Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe (Trojan.Dropper) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\nscf31.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\glaide32 (Rootkit.Rustok) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Worm.Palevo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nscf31.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
Files Infected:
C:\WINDOWS\nscf31.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\services.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1533926148.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1570129124.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1728515536.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\1928446482.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\72977732.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\notepad.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\853581186.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\smss.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\kbiwkmdccrnsplwq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\kbiwkmgptvkpylby.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2013264930.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2740931964.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\2818849868.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3457196482.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3467926996.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3645238262.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\4013479428.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\win.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winamp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\debug.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX1\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX2\install.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\glaide32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
i re-booted and ran scan again. this is log from second scan
Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3
27/08/2009 23:03:33
mbam-log-2009-08-27 (23-03-33).txt
Scan type: Full Scan (C:\|I:\|)
Objects scanned: 308867
Time elapsed: 22 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
SysProt Antirootkit
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab. In the Write to log box select the following items.
Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected
At the bottom of the page
Hidden Objects Only << Selected
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
SysProt log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsdjnkvxf.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 89C1971A
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 89C1A6E2
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89C1871C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 89C196E4
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89C1C6F3
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 89C1A71B
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Try running ComboFix using these instructions:
Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.
"%userprofile%\desktop\combofix.exe" /stepdel
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
If that doesn't work, reboot and then rename Combofix to CleanMe and double click it then
blue screen again
first attempt, combofix said there was an update. update downloaded.
both methods:
ran program, came up with disclaimer and started scan, then bluescreen. same tech info as previous attempt
Avenger
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Please download The Avenger2 by SwanDog46 (http://swandog46.geekstogo.com/avenger.zip).
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Drivers to disable:
kbiwkmpkbmwnli
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
done that
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Disablement of driver "kbiwkmpkbmwnli" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)
Completed script processing.
*******************
Finished! Terminate.
We need to use GMER to delete a service and remove the file:
Open the gmer folder and double click gmer.exe to run the program
On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
Click on the > > > tab to open the menus
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER1.jpg
Click on the Services tab
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER_Services_Tab.jpg
Scroll down until you find the following Service (Note: This may be highlighted in red)
kbiwkmpkbmwnli
Click on the Service Name to Highlight it, then right click and choose Delete...
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER_Delete_Service.jpg
Click OK at the first confirmation dialog to remove the service
Click OK to the second confirmation dialog to remove the file
Click OK to exit the program
Download and Run ComboFix
Delete any copy of Combofix that you have
Download Combofix from the link below. Save it to your desktop.
> Link Removed <
(I have renamed the file)
STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Try double clicking the renamed file.
still getting bluescreen when i run combofix. something obviously doesnt want it to run! (is this turning out to be an awkward fix for you?)
Is this turning out to be an awkward fix for you?
Just a bit, we can usually get combofix to run easier than this.
Please can you post a fresh Sysprot log
things may have just went from bad to worse....
ran sysprot, and whilst it was doing its thing, a 'program' appeared called 'windows antivirus pro' saying computer is infected, and to purchase. when i click to open firefox, i get a message saying its infected and it wont open a new window.
then, another 'program' appears called 'windows security centre'. says firewall and automatic updates are on, virus protection not found.
then i get a message saying svchost.exe has encountered a problem and needs to close. option are debug, send error report and fit it.
just as im typing this, i got another window saying 'warning! 3 infection found' - its also from windows antivirus pro.
sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsdjnkvxf.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 89C4A6E2
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 89C4A71A
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89C496E4
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 89C4971C
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 892D6C9B
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 89C4B6DB
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
I've had a word with the developer of Combofix, and we want to make sure that Avast isn't interfering.
Right click on the avast! icon in system tray and choose (Stop On-Access Protection)
Then try running Combofix
i think i uninstalled avast before i came here. i tried a few different programs, and once i was finished with somethng, it was removed. i have a folder in c: program files called alwil software, in that avast4, in that setup and 1 file in there called setup (0KB). and thats it. there is no icon anywhere, no desktop icon, nothing in start menu or anything
Please run MalwareBytes again (Quick Scan) , and then post a fresh RSIT log
Please run MalwareBytes again (Quick Scan) , and then post a fresh RSIT log
cant do that. cant open any program. when i try, i get a message in bottom right corner saying
'Warning!
Running of application impossible. the file c:/program files/malwarebytes' anti-malware/mbam.exe is infected. please activate your antivirus program'
this applies to any program.
i tried start run and c:/program files... mbam.exe, but i got the same message
(i know the / should be the other way - but keyboard layout is different on my laptop)
i can open folders but thats it
Let's try running in safe mode.
Reboot in safe mode
You will now need to reboot in safe mode, you will not have internet access whilst you do the next part
Please copy/paste or print the following instructions.
To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F5 OR F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.
Now try the following programs
MalwareBytes
RSIT
Combofix
none of them work.
for malwarebytes, a command type box appears for a split second then goes.
for RSIT and combo, i get a message saying 'open file - security warning. option run or cancel. when i click run i get the command type box then nothing
i have had a quick look on the net about the 'antivirus' program and found this (http://www.bleepingcomputer.com/virus-removal/remove-windows-antivirus-pro). should i try that?
should i try that?
Please do.
Please do.
not working. i have downloaded task manager fix, but there is no task in applications (other than for the internet explorer i have open). there are 26 processes running, 8 of which are svchost.exe.
i still cant open any programs, and i can only get internet explorer to work by opening a folder and typing a website into address bar
so far, ive had no popups or anything for the windows antivirus pro (always the same when you want it to appear!)
forgot to say, there is a svchast.exe in the list too, which is mentioned on the removal guide. i have ended that, but i still cant run any programs
We need some updated info, please try the following programs until one works and produces a log
Download OTListIt:
Download OTListIt2 (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
Post both logs individually please.
----------------------------------------------------------------------------------------
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------
Please include the contents of the following in your next reply:
DDS.txt
Attach.txt
----------------------------------------------------------------------------------------
OTScanIt
Please download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer and save it to your desktop.
Double click on OTS.exe to run it.
Put a checkmark in the Include 64Bit Scans box
Under Additional Scans section, put a check mark next to Reg - Uninstall List. ( you will need to scroll down)
Click on the Run Scan button at the top left hand corner.
OTS will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
----------------------------------------------------------------------------------------
Please download the Win32kDiag.exe tool from the following location and save it to your desktop:
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.
Double-click on this file and post the contents as a reply to this topic.
Cant do anything.
i can download them, but when i try to run any of them, a command type box appears for a split second and thats it. ive tried in safe mode, and its still the same.
so far, i have been unable to open any programs by double clicking the icon, but i can open a program by opening a dosument. i.e i cannot open excel, but if i open a .xls file, then excel opens. same with firefox - if i open a html already on pc, then it opens
Please try this ....
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.
@echo off
if exist C:\look*.txt del /q C:\look*.txt
if exist C:\results.txt del /q C:\results.txt
regedit /e C:\look1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e C:\look2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
regedit /e C:\look3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e C:\look4.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler"
regedit /e C:\look5.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
type C:\look*.txt >> C:\results.txt
start notepad C:\results.txt
del /q C:\look*.txt
del /q %0
exit
Double click on look.bat
Please be patient, as this will search the entire disc
Notepad will open, please copy/paste the results here.
done that, results below
notepad opened very quickly, less than 2 seconds? should it have taken longer? (just with you saying be patient)
results:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\\Program Files\\Unlocker\\UnlockerAssistant.exe -H"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"RoxWatchTray"="\"C:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe\""
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"BullGuard"="\"C:\\Program Files\\BullGuard Ltd\\BullGuard\\bullguard.exe\" -boot"
"PAC7302_Monitor"="C:\\WINDOWS\\PixArt\\PAC7302\\Monitor.exe"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"msnmsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe\" /background"
"DU Meter"="C:\\Program Files\\DU Meter\\DUMeter.exe"
"BullGuard"="\"C:\\Program Files\\BullGuard Ltd\\BullGuard\\bullguard.exe\""
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
That's fine,
Please try the following now.
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it runmbam.bat Please save it on your desktop.
@Echo off
if exist "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" copy "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" "C:\Program Files\Malwarebytes' Anti-Malware\CleanMe.exe"
"C:\Program Files\Malwarebytes' Anti-Malware\CleanMe.exe"
Del /q %0
Double click on runmbam.bat
This will create a copy of MalwareBytes file and then (hopefully) run it
that has worked and allowed malwarebytes to run. scan done and problems fixed. after re-start, i can now open programs.
log from malware bytes
Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3
29/08/2009 13:00:18
mbam-log-2009-08-29 (13-00-18).txt
Scan type: Full Scan (C:\|)
Objects scanned: 271926
Time elapsed: 17 minute(s), 23 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 41
Memory Processes Infected:
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Delete on reboot.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Delete on reboot.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
Please rename Combofix to CleanMe and try running that now.
If it still gives problems, please run the following.
OTScanIt
Please download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer and save it to your desktop.
Double click on OTS.exe to run it.
Under Additional Scans section, put a check mark next to Reg - Uninstall List. ( you will need to scroll down)
Click on the Run Scan button at the top left hand corner.
OTS will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.
cant run combofix, same blue screen
OTS runs though. the results (its too long to post, so results will be in 2 posts)
[code]
OTS logfile created on: 29/08/2009 14:07:07 - Run 1
OTS by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.58% Memory free
3.85 Gb Paging File | 3.51 Gb Available in Paging File | 91.25% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 179.03 Gb Free Space | 76.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: HOME
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
[Processes - Safe List]
bullguard.exe -> C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe -> [2009/08/23 10:38:26 | 00,304,464 | ---- | M] (BullGuard Ltd.)
bullguardupdate.exe -> C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe -> [2009/04/06 11:33:00 | 00,300,368 | ---- | M] (BullGuard Ltd.)
dumeter.exe -> C:\Program Files\DU Meter\DUMeter.exe -> [2009/08/22 18:21:37 | 02,645,528 | ---- | M] (Hagel Technologies Ltd)
dumetersvc.exe -> C:\Program Files\DU Meter\DUMeterSvc.exe -> [2009/08/22 18:21:37 | 01,386,008 | ---- | M] (Hagel Technologies Ltd)
explorer.exe -> C:\WINDOWS\Explorer.EXE -> [2008/07/03 10:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation)
firefox.exe -> C:\Program Files\Mozilla Firefox\firefox.exe -> [2009/07/31 00:39:42 | 00,908,280 | ---- | M] (Mozilla Corporation)
groovemonitor.exe -> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe -> [2006/10/27 01:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation)
jqs.exe -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/05/26 18:32:10 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
monitor.exe -> C:\WINDOWS\PixArt\PAC7302\Monitor.exe -> [2006/11/03 12:01:16 | 00,319,488 | ---- | M] (PixArt Imaging Incorporation)
msnmsgr.exe -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe -> [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation)
nvsvc32.exe -> C:\WINDOWS\System32\nvsvc32.exe -> [2009/02/18 15:44:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
ots.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2009/08/28 22:53:08 | 00,514,048 | ---- | M] (OldTimer Tools)
rapimgr.exe -> C:\Program Files\Microsoft ActiveSync\rapimgr.exe -> [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation)
reader_sl.exe -> C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe -> [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
rthdcpl.exe -> C:\WINDOWS\RTHDCPL.EXE -> [2007/02/26 16:03:00 | 16,125,440 | ---- | M] (Realtek Semiconductor Corp.)
skype.exe -> C:\Program Files\Skype\Phone\Skype.exe -> [2008/08/12 19:19:02 | 21,741,864 | R--- | M] (Skype Technologies S.A.)
skypepm.exe -> C:\Program Files\Skype\Plugin Manager\skypePM.exe -> [2008/08/12 19:19:02 | 00,076,744 | R--- | M] (Skype Technologies)
tomtomhomeservice.exe -> C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -> [2009/04/08 11:38:14 | 00,092,008 | ---- | M] (TomTom)
unlockerassistant.exe -> C:\Program Files\Unlocker\UnlockerAssistant.exe -> [2008/05/02 01:15:46 | 00,015,872 | ---- | M] ()
wcescomm.exe -> C:\Program Files\Microsoft ActiveSync\wcescomm.exe -> [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation)
wdfmgr.exe -> C:\WINDOWS\System32\wdfmgr.exe -> [2005/01/28 14:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
winampa.exe -> C:\Program Files\Winamp\winampa.exe -> [2009/02/25 22:26:00 | 00,037,888 | ---- | M] ()
wmiprvse.exe -> C:\WINDOWS\System32\wbem\wmiprvse.exe -> [2008/04/14 11:00:00 | 00,218,112 | ---- | M] (Microsoft Corporation)
[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2005/09/23 08:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation)
(bglivesvc) BullGuard LiveUpdate [Win32_Own | Auto | Running] -> C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe -> [2009/04/06 11:33:00 | 00,300,368 | ---- | M] (BullGuard Ltd.)
(bgmainsvc) BullGuard Main Service [Win32_Shared | Auto | Running] -> C:\Program Files\BullGuard Ltd\BullGuard\BsMain.dll -> [2009/08/23 10:38:26 | 00,079,184 | ---- | M] (BullGuard Ltd.)
(bgrasvc) bgrasvc [Win32_Own | On_Demand | Stopped] -> C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe -> [2009/06/01 12:50:34 | 00,079,184 | ---- | M] (BullGuard Ltd.)
(bsfilescan) BullGuard File Scan Service [Win32_Shared | Auto | Running] -> C:\Program Files\BullGuard Ltd\BullGuard\BsFileScan.dll -> [2009/04/06 11:32:54 | 00,132,432 | ---- | M] (BullGuard Ltd.)
(bsfire) BullGuard Firewall Service [Win32_Shared | Auto | Running] -> C:\Program Files\BullGuard Ltd\BullGuard\BsFire.dll -> [2009/04/06 11:32:56 | 00,333,136 | ---- | M] (BullGuard Ltd.)
(bsmailproxy) BullGuard Email Monitoring Service [Win32_Shared | Auto | Stopped] -> C:\Program Files\BullGuard Ltd\BullGuard\BsMailProxy.dll -> [2009/04/16 13:20:18 | 00,087,376 | ---- | M] (BullGuard Ltd.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation)
(DUMeterSvc) DU Meter Service [Win32_Own | Auto | Running] -> C:\Program Files\DU Meter\DUMeterSvc.exe -> [2009/08/22 18:21:37 | 01,386,008 | ---- | M] (Hagel Technologies Ltd)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/14 11:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2009/05/26 18:32:10 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(Microsoft Office Groove Audit Service) Microsoft Office Groove Audit Service [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -> [2006/10/27 01:47:54 | 00,065,824 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> C:\WINDOWS\System32\nvsvc32.exe -> [2009/02/18 15:44:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
(odserv) Microsoft Office Diagnostics Service [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -> [2006/10/26 20:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -> [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation)
(Roxio UPnP Renderer 9) Roxio UPnP Renderer 9 [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -> [2007/04/22 21:29:34 | 00,088,824 | ---- | M] (Sonic Solutions)
(Roxio Upnp Server 9) Roxio Upnp Server 9 [Win32_Own | Auto | Stopped] -> C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -> [2007/04/22 21:29:32 | 00,359,160 | ---- | M] (Sonic Solutions)
(RoxLiveShare9) LiveShare P2P Server 9 [Win32_Own | Auto | Stopped] -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -> [2007/04/23 12:43:54 | 00,310,008 | ---- | M] (Sonic Solutions)
(RoxMediaDB9) RoxMediaDB9 [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -> [2007/04/23 12:43:46 | 01,010,424 | ---- | M] (Sonic Solutions)
(RoxWatch9) Roxio Hard Drive Watcher 9 [Win32_Own | Auto | Stopped] -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -> [2007/04/23 12:43:54 | 00,166,648 | ---- | M] (Sonic Solutions)
(TomTomHOMEService) TomTomHOMEService [Win32_Own | Auto | Running] -> C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -> [2009/04/08 11:38:14 | 00,092,008 | ---- | M] (TomTom)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> C:\WINDOWS\System32\wdfmgr.exe -> [2005/01/28 14:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation)
[Driver Services - Safe List]
(57852f5b) 57852f5b [Kernel | System | Stopped] -> C:\WINDOWS\System32\drivers\57852f5b.sys -> [2009/08/27 19:53:30 | 00,000,000 | ---- | M] ()
(afw) Agnitum firewall driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\afw.sys -> [2009/03/23 13:07:16 | 00,031,128 | R--- | M] (Agnitum Ltd.)
(afwcore) afwcore [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\afwcore.sys -> [2009/03/23 13:07:16 | 00,257,304 | ---- | M] (Agnitum Ltd.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\aspi32.sys -> [2006/02/25 15:13:06 | 00,016,877 | ---- | M] (Adaptec)
(bdfilespy) BullGuard File Monitor Driver [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\BdFileSpy.sys -> [2009/01/23 14:48:56 | 00,055,504 | ---- | M] (BullGuard Ltd.)
(DgiVecp) DgiVecp [Kernel | Auto | Running] -> C:\WINDOWS\System32\Drivers\DgiVecp.sys -> [2007/02/24 00:18:34 | 00,041,984 | ---- | M] (Samsung Electronics Co., Ltd.)
(giveio) giveio [Kernel | Boot | Running] -> C:\WINDOWS\system32\giveio.sys -> [1996/04/03 20:33:26 | 00,005,248 | ---- | M] ()
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -> [2008/04/14 11:00:00 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\RtkHDAud.sys -> [2007/03/01 18:27:00 | 04,484,608 | ---- | M] (Realtek Semiconductor Corp.)
(nv) nv [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -> [2009/02/18 15:44:00 | 06,308,224 | ---- | M] (NVIDIA Corporation)
(NVENETFD) NVIDIA nForce 10/100 Mbps Ethernet [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\NVENETFD.sys -> [2008/12/30 12:29:33 | 00,054,784 | ---- | M] (NVIDIA Corporation)
(nvgts) nvgts [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\nvgts.sys -> [2008/12/30 12:14:40 | 00,145,952 | ---- | M] (NVIDIA Corporation)
(nvnetbus) NVIDIA Network Bus Enumerator [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\nvnetbus.sys -> [2008/12/30 12:29:33 | 00,022,016 | ---- | M] (NVIDIA Corporation)
(PAC7302) PAC7302 VGA USB Camera [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\PAC7302.SYS -> [2007/06/14 16:29:08 | 00,457,856 | ---- | M] (PixArt Imaging Inc.)
(Pnp680r) Silicon Image SiI 0680 Medley Raid Controller [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\pnp680r.sys -> [2002/05/31 17:35:02 | 00,076,976 | ---- | M] (Silicon Image, Inc)
(profos) profos [Kernel | On_Demand | Stopped] -> C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys -> [2009/08/23 10:38:27 | 00,014,720 | ---- | M] (BitDefender S.R.L.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\ptilink.sys -> [2008/04/14 11:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> C:\WINDOWS\System32\Drivers\PxHelp20.sys -> [2008/08/20 18:58:58 | 00,044,944 | ---- | M] (Sonic Solutions)
(RimUsb) BlackBerry Device [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\RimUsb.sys -> [2006/11/07 20:02:04 | 00,022,272 | ---- | M] (Research In Motion Limited)
(RimVSerPort) RIM Virtual Serial Port v2 [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\RimSerial.sys -> [2007/01/18 11:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd)
(ROOTMODEM) Microsoft Legacy Modem Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\Drivers\RootMdm.sys -> [2008/04/14 11:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\secdrv.sys -> [2008/04/14 11:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(speedfan) speedfan [Kernel | Boot | Running] -> C:\WINDOWS\system32\speedfan.sys -> [2006/09/24 14:28:46 | 00,005,248 | ---- | M] (Windows (R) 2000 DDK provider)
(SysProtDrv.sys) SysProtDrv.sys [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\Administrator\Desktop\temp downloaded stuff\SysProt\SysProt\SysProtDrv.sys -> [2009/08/28 18:32:21 | 00,044,288 | ---- | M] ()
(trufos) trufos [Kernel | On_Demand | Stopped] -> C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys -> [2009/08/23 10:38:27 | 00,039,808 | ---- | M] (BitDefender S.R.L.)
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\drivers\usbaudio.sys -> [2008/04/14 01:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation)
(wceusbsh) Windows CE USB Serial Host Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\wceusbsh.sys -> [2006/11/06 19:04:56 | 00,028,672 | ---- | M] (Microsoft Corporation)
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com/ ->
HKEY_CURRENT_USER\: SearchURL\\"provider" -> ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\b1seu9e4.default\prefs.js ->
browser.search.selectedEngine -> "Answers.com" ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> {FDE180A3-C4F5-4D5A-B889-16C2669E1E61}:1.0 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions -> ->
HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com -> C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/05/26 18:32:10 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\extensions\\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61} -> C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61} [C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}] -> [2009/08/22 18:49:56 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71} -> C:\PROGRAM FILES\AVG\AVG8\FIREFOX ->
HKLM\software\mozilla\mozilla firefox 3.5.2\extensions -> ->
HKLM\software\mozilla\mozilla firefox 3.5.2\extensions\\Components -> C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/08/24 21:45:18 | 00,000,000 | ---D | M]
HKLM\software\mozilla\mozilla firefox 3.5.2\extensions\\Plugins -> C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/08/24 21:45:18 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions -> [2009/03/07 18:01:40 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2009/03/07 18:01:40 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\home2@tomtom.com -> [2009/03/07 18:01:40 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\b1seu9e4.default\extensions -> [2009/08/24 21:45:23 | 00,101,571 | ---- | M] ()
< FireFox Extensions [Program Folders] > ->
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/07/31 00:39:42 | 10,728,440 | ---- | M] (Mozilla Foundation)
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/07/31 00:39:42 | 10,728,440 | ---- | M] (Mozilla Foundation)
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -> [2009/07/31 00:39:42 | 10,728,440 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/08/24 21:45:18 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/07/31 00:39:43 | 00,023,544 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/07/31 00:39:43 | 00,137,208 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/08/24 21:45:18 | 00,000,000 | ---D | M]
npdeploytk.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npdeploytk.dll -> [2009/05/26 18:32:10 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.)
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/07/31 00:39:43 | 00,065,016 | ---- | M] (mozilla.org)
NPOFF12.DLL -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPOFF12.DLL -> [2006/10/26 21:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation)
nppdf32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\nppdf32.dll -> [2008/10/14 21:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.)
< FireFox SearchPlugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/08/24 21:45:18 | 00,000,000 | ---D | M]
amazon-en-GB.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazon-en-GB.xml -> [2009/07/30 23:24:36 | 00,001,538 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2009/07/31 00:39:40 | 00,002,193 | ---- | M] ()
chambers-en-GB.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\chambers-en-GB.xml -> [2009/07/30 23:24:36 | 00,000,947 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2009/07/31 00:39:40 | 00,001,534 | ---- | M] ()
eBay-en-GB.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay-en-GB.xml -> [2009/07/30 23:24:36 | 00,000,769 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2009/07/31 00:39:40 | 00,002,371 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2009/07/31 00:39:40 | 00,001,178 | ---- | M] ()
yahoo-en-GB.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo-en-GB.xml -> [2009/07/30 23:24:36 | 00,000,831 | ---- | M] ()
Hosts file not found -> ->
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> C:\Program Files\Ask.com\GenericAskToolbar.dll [Ask.com Toolbar] -> [2009/04/02 19:50:28 | 00,809,864 | ---- | M] (Ask.com)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> C:\Program Files\Ask.com\GenericAskToolbar.dll [Ask.com Toolbar] -> [2009/04/02 19:50:28 | 00,809,864 | ---- | M] (Ask.com)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
"Alcmtr" -> C:\WINDOWS\Alcmtr.exe [ALCMTR.EXE] -> [2005/05/03 19:43:00 | 00,069,632 | ---- | M] (Realtek Semiconductor Corp.)
"avast!" -> C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> File not found
"AVG8_TRAY" -> C:\PROGRA~1\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe] -> File not found
"BullGuard" -> C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe ["C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot] -> [2009/08/23 10:38:26 | 00,304,464 | ---- | M] (BullGuard Ltd.)
"GrooveMonitor" -> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe ["C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"] -> [2006/10/27 01:47:42 | 00,031,016 | ---- | M] (Microsoft Corporation)
"NvCplDaemon" -> C:\WINDOWS\System32\NvCpl.DLL [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2009/02/18 15:44:00 | 13,680,640 | ---- | M] (NVIDIA Corporation)
"NvMediaCenter" -> C:\WINDOWS\System32\NvMcTray.DLL [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2009/02/18 15:44:00 | 00,086,016 | ---- | M] (NVIDIA Corporation)
"PAC7302_Monitor" -> C:\WINDOWS\PixArt\PAC7302\Monitor.exe [C:\WINDOWS\PixArt\PAC7302\Monitor.exe] -> [2006/11/03 12:01:16 | 00,319,488 | ---- | M] (PixArt Imaging Incorporation)
"RoxWatchTray" -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe ["C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"] -> [2007/04/23 12:43:50 | 00,228,088 | ---- | M] (Sonic Solutions)
"RTHDCPL" -> C:\WINDOWS\RTHDCPL.exe [RTHDCPL.EXE] -> [2007/02/26 16:03:00 | 16,125,440 | ---- | M] (Realtek Semiconductor Corp.)
"SkyTel" -> C:\WINDOWS\SkyTel.exe [SkyTel.EXE] -> [2006/05/16 19:04:00 | 02,879,488 | ---- | M] (Realtek Semiconductor Corp.)
"UnlockerAssistant" -> C:\Program Files\Unlocker\UnlockerAssistant.exe [C:\Program Files\Unlocker\UnlockerAssistant.exe -H] -> [2008/05/02 01:15:46 | 00,015,872 | ---- | M] ()
"WinampAgent" -> C:\Program Files\Winamp\winampa.exe ["C:\Program Files\Winamp\winampa.exe"] -> [2009/02/25 22:26:00 | 00,037,888 | ---- | M] ()
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"BullGuard" -> C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe ["C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"] -> [2009/08/23 10:38:26 | 00,304,464 | ---- | M] (BullGuard Ltd.)
"DU Meter" -> C:\Program Files\DU Meter\DUMeter.exe [C:\Program Files\DU Meter\DUMeter.exe] -> [2009/08/22 18:21:37 | 02,645,528 | ---- | M] (Hagel Technologies Ltd)
"H/PC Connection Agent" -> C:\Program Files\Microsoft ActiveSync\wcescomm.exe ["C:\Program Files\Microsoft ActiveSync\wcescomm.exe"] -> [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation)
"msnmsgr" -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe ["C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background] -> [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation)
"Skype" -> C:\Program Files\Skype\Phone\Skype.exe ["C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized] -> [2008/08/12 19:19:02 | 21,741,864 | R--- | M] (Skype Technologies S.A.)
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer
\\"Windows Update Menu Text" -> [Microsoft Update] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDesktopCleanupWizard" -> [1] -> File not found
\\"NoCDBurning" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableStatusMessages" -> [0] -> File not found
\\"VerboseStatus" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoResolveTrack" -> [1] -> File not found
\\"LinkResolveIgnoreLinkInfo" -> [1] -> File not found
\\"NoResolveSearch" -> [1] -> File not found
\\"NoLowDiskSpaceChecks" -> [1] -> File not found
\\"NoInstrumentation" -> [1] -> File not found
\\"NoStartMenuMFUprogramsList" -> [1] -> File not found
\\"ClearRecentDocsOnExit" -> [1] -> File not found
\\"NoFolderOptions" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"DisableRegistryTools" -> [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000] -> [2006/10/27 16:07:36 | 17,891,112 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{dfb852a3-47f8-48c4-a200-58cab36fd2a2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search && Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{dfb852a3-47f8-48c4-a200-58cab36fd2a2}" [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{1E54D648-B804-468d-BC78-4AFFED8E262E} [HKLM] -> http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab [System Requirements Lab Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] ->
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab [Java Plug-in 1.6.0_13] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 194.168.4.100 194.168.8.100 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{C1AB0E24-EBEF-4145-AFB1-CD3C7E046FEA}\\DhcpNameServer -> 194.168.4.100 194.168.8.100 (NVIDIA nForce 10/100 Mbps Ethernet ) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/07/03 10:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
avgrsstarter -> -> File not found
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [Groove GFS Stub Execution Hook] -> [2006/10/27 01:48:42 | 02,210,608 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 11:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\System32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 11:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" -> C:\Program Files\Microsoft ActiveSync\rapimgr.exe [C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager] -> [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" -> C:\Program Files\Microsoft ActiveSync\wcescomm.exe [C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager] -> [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" -> C:\Program Files\Microsoft ActiveSync\WCESMgr.exe [C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application] -> [2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" -> C:\Program Files\Windows Live\Messenger\wlcsdk.exe [C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call] -> [2009/02/06 18:21:00 | 00,583,024 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 11:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\System32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 11:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" -> C:\Program Files\Microsoft ActiveSync\rapimgr.exe [C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager] -> [2006/11/13 14:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" -> C:\Program Files\Microsoft ActiveSync\wcescomm.exe [C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager] -> [2006/11/13 14:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" -> C:\Program Files\Microsoft ActiveSync\WCESMgr.exe [C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application] -> [2006/11/13 14:39:54 | 04,270,888 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" -> C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove] -> [2006/10/27 16:37:44 | 00,338,216 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" -> C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote] -> [2006/10/27 16:03:04 | 01,018,664 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" -> C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook] -> [2006/10/27 16:16:48 | 12,813,096 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" -> C:\Program Files\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> [2008/08/12 19:19:02 | 21,741,864 | R--- | M] (Skype Technologies S.A.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" -> C:\Program Files\Windows Live\Messenger\msnmsgr.exe [C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger] -> [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" -> C:\Program Files\Windows Live\Messenger\wlcsdk.exe [C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call] -> [2009/02/06 18:21:00 | 00,583,024 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2009/03/04 22:02:01 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\{b5b1da9e-3d86-11de-957b-001bfc4adb54}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b5b1da9e-3d86-11de-957b-001bfc4adb54}\Shell\AutoRun\command
\{b5b1da9e-3d86-11de-957b-001bfc4adb54}\Shell\AutoRun\command\\"" -> K:\InstallTomTomHOME.exe [K:\InstallTomTomHOME.exe] -> File not found
[Registry - Additional Scans - Safe List]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ ->
{0AAA9C97-74D4-47CE-B089-0B147EF3553C} -> Windows Live Messenger
{205C6BDD-7B73-42DE-8505-9A093F35A238} -> Windows Live Upload Tool
{2184D9EA-4E5B-43FD-914E-4563CF028C94} -> MetalGearSolid2 Substance
{22B775E7-6C42-4FC5-8E10-9A5E3257BD94} -> MSVCRT
{26A24AE4-039D-4CA4-87B4-2F83216013FF} -> Java(TM) 6 Update 13
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP
{3B4E636E-9D65-4D67-BA61-189800823F52} -> Windows Live Communications Platform
{45338B07-A236-4270-9A77-EBB4115517B5} -> Windows Live Sign-in Assistant
{4B35F00C-E63D-40DC-9839-DF15A33EAC46} -> Grand Theft Auto Vice City
{4F6F5C1E-F109-4A58-8F43-9A1039CDAFC9} -> Zumtobel - Product Explorer 6.0
{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F} -> GetDataBack for NTFS
{5C57D058-8EEE-4C8D-81A9-1D8D11F4A48F} -> Crystal reports 9.0 for Contractor Pro
{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} -> Skype™ 3.8
{60C18308-6FD1-47AF-8185-B4AFEF2E24EF} -> Contractor Pro
{66D171AA-670F-4309-9C74-5BA7F7DBA0B3} -> Roxio Media Manager
{67E4EE98-59F4-4220-89A6-A20AF5BEC689} -> Microsoft AutoRoute 2005
{6B2C675E-8040-431B-99C4-137DF4FBF75A} -> Thermal Analysis Tool
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} -> Microsoft .NET Framework 2.0
{7299052b-02a4-4627-81f2-1818da5d550d} -> Microsoft Visual C++ 2005 Redistributable
{86D4B82A-ABED-442A-BE86-96357B70F4FE} -> Ask Toolbar
{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533} -> TomTom HOME Visual Studio Merge Modules
{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E} -> Choice Guard
{90120000-0010-0409-0000-0000000FF1CE} -> Microsoft Software Update for Web Folders (English) 12
{90120000-0015-0409-0000-0000000FF1CE} -> Microsoft Office Access MUI (English) 2007
{90120000-0016-0409-0000-0000000FF1CE} -> Microsoft Office Excel MUI (English) 2007
{90120000-0018-0409-0000-0000000FF1CE} -> Microsoft Office PowerPoint MUI (English) 2007
{90120000-0019-0409-0000-0000000FF1CE} -> Microsoft Office Publisher MUI (English) 2007
{90120000-001A-0409-0000-0000000FF1CE} -> Microsoft Office Outlook MUI (English) 2007
{90120000-001B-0409-0000-0000000FF1CE} -> Microsoft Office Word MUI (English) 2007
{90120000-001F-0409-0000-0000000FF1CE} -> Microsoft Office Proof (English) 2007
{90120000-001F-040C-0000-0000000FF1CE} -> Microsoft Office Proof (French) 2007
{90120000-001F-0C0A-0000-0000000FF1CE} -> Microsoft Office Proof (Spanish) 2007
{90120000-002C-0409-0000-0000000FF1CE} -> Microsoft Office Proofing (English) 2007
{90120000-0030-0000-0000-0000000FF1CE} -> Microsoft Office Enterprise 2007
{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663} ->
{90120000-0044-0409-0000-0000000FF1CE} -> Microsoft Office InfoPath MUI (English) 2007
{90120000-006E-0409-0000-0000000FF1CE} -> Microsoft Office Shared MUI (English) 2007
{90120000-00A1-0409-0000-0000000FF1CE} -> Microsoft Office OneNote MUI (English) 2007
{90120000-00BA-0409-0000-0000000FF1CE} -> Microsoft Office Groove MUI (English) 2007
{90120000-0114-0409-0000-0000000FF1CE} -> Microsoft Office Groove Setup Metadata MUI (English) 2007
{90120000-0115-0409-0000-0000000FF1CE} -> Microsoft Office Shared Setup Metadata MUI (English) 2007
{90120000-0117-0409-0000-0000000FF1CE} -> Microsoft Office Access Setup Metadata MUI (English) 2007
{95120000-00B9-0409-0000-0000000FF1CE} -> Microsoft Application Error Reporting
{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D} -> BlackBerry Desktop Software 4.2.2
{99052DB7-9592-4522-A558-5417BBAD48EE} -> Microsoft ActiveSync
{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7} -> Segoe UI
{AC76BA86-7AD7-1033-7B44-A81300000003} -> Adobe Reader 8.1.3
{b4092c6d-e886-4cb2-ba68-fe5a88d31de6}_is1 -> Spybot - Search & Destroy
{B8EE8264-238C-430A-9D5F-DB9139B09364} -> Thorn - Product Explorer 6.0
{BC35DF5E-7682-40F9-8FF0-737D8C568F7D} -> Philips Product Selector 1.0.2
{C6CA8874-5F22-4AF0-9BE3-016BF299C536} -> Windows Live Essentials
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} -> Microsoft .NET Framework 1.1
{CC411126-8CDE-4B7C-950F-4197C931B0C8} -> ML-1510_700 Series
{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E} -> GTA San Andreas
{DF9A6075-9308-4572-8932-A4316243C4D9} -> Brother P-touch Editor 5.0
{E670CC9A-7CD2-4BB8-9485-6324EFAC137C} -> PhotoLux
{E6B87DC4-2B3D-4483-ADFF-E483BF718991} -> OpenOffice.org 3.1
{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC} -> Realtek High Definition Audio Driver
{F6BD194C-4190-4D73-B1B1-C48C99921BFE} -> Windows Live Call
32fsu32_is1 -> File Scavenger 3.2 (English)
Adobe Flash Player Plugin -> Adobe Flash Player 10 Plugin
age of empires 2.0 -> Microsoft Age of Empires II
Audacity 1.3 Beta (Unicode)_is1 -> Audacity 1.3.3 (Unicode)
BitLord -> BitLord 1.1
BlackBerry_{98605CAA-5F52-44EC-8AF7-2EC1A4C35F2D} -> BlackBerry Desktop Software 4.2.2
BullGuard -> BullGuard 8.5
Cable-Mate 3.3 -> Cable-Mate 3.3
ccleaner -> CCleaner (remove only)
Clik 3 -> Clik 3
DUMeter3_is1 -> DU Meter
EAGLE 5.6.0 -> EAGLE 5.6.0
EasyCert -> EasyCert
ENTERPRISE -> Microsoft Office Enterprise 2007
FileZilla Client -> FileZilla Client 3.2.6
hijackthis -> HijackThis 2.0.2
InstallShield_{BC35DF5E-7682-40F9-8FF0-737D8C568F7D} -> Philips Product Selector 1.0.2
InstallShield_{DF9A6075-9308-4572-8932-A4316243C4D9} -> Brother P-touch Editor 5.0
LAME for Audacity_is1 -> LAME v3.98.2 for Audacity
Malwarebytes' Anti-Malware_is1 -> Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 -> Microsoft .NET Framework 2.0
mozilla firefox (3.5.2) -> Mozilla Firefox (3.5.2)
NVIDIA Drivers -> NVIDIA Drivers
PDF Editor 2 -> PDF Editor 2
PrimoPDF4.1.0.9 -> PrimoPDF
Samsung CLX-216x Series -> Samsung CLX-216x Series
SpeedFan -> SpeedFan (remove only)
SystemRequirementsLab -> System Requirements Lab
TomTom HOME -> TomTom HOME 2.6.2.1586
Tysoft PDF_is1 -> Tysoft PDF (novaPDF 6.2 printer)
Winamp -> Winamp
Windows Media Format Runtime -> Windows Media Format Runtime
WinLiveSuite_Wave3 -> Windows Live Essentials
WinRAR archiver -> WinRAR archiver
Part 2 of OTS log
[Files/Folders - Created Within 30 Days]
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp ->
CleanMe -> C:\CleanMe -> [2009/08/29 14:02:54 | 00,000,000 | --SD | C]
CF17295.exe -> C:\WINDOWS\System32\CF17295.exe -> [2009/08/29 14:02:53 | 00,389,120 | ---- | C] (Microsoft Corporation)
CF17149.exe -> C:\WINDOWS\System32\CF17149.exe -> [2009/08/29 14:02:08 | 00,389,120 | ---- | C] (Microsoft Corporation)
Recent -> C:\Documents and Settings\Administrator\Recent -> [2009/08/29 13:00:26 | 00,000,000 | RH-D | C]
hiberfil.sys -> C:\hiberfil.sys -> [2009/08/29 11:51:43 | 21,468,16000 | -HS- | C] ()
OTS.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2009/08/28 22:53:07 | 00,514,048 | ---- | C] (OldTimer Tools)
Bookmarks 2009-08-28.json -> C:\Documents and Settings\Administrator\Desktop\Bookmarks 2009-08-28.json -> [2009/08/28 22:32:02 | 00,073,761 | ---- | C] ()
ComboFix -> C:\ComboFix -> [2009/08/28 18:13:35 | 00,000,000 | --SD | C]
CF13640.exe -> C:\WINDOWS\System32\CF13640.exe -> [2009/08/28 18:13:34 | 00,389,120 | ---- | C] (Microsoft Corporation)
CF12990.exe -> C:\WINDOWS\System32\CF12990.exe -> [2009/08/28 18:10:07 | 00,389,120 | ---- | C] (Microsoft Corporation)
CleanMe.exe -> C:\Documents and Settings\Administrator\Desktop\CleanMe.exe -> [2009/08/28 18:09:07 | 03,188,248 | R--- | C] ()
CF14402.exe -> C:\WINDOWS\System32\CF14402.exe -> [2009/08/28 15:30:11 | 00,389,120 | ---- | C] (Microsoft Corporation)
CF14225.exe -> C:\WINDOWS\System32\CF14225.exe -> [2009/08/28 15:29:18 | 00,389,120 | ---- | C] (Microsoft Corporation)
CF13416.exe -> C:\WINDOWS\System32\CF13416.exe -> [2009/08/28 15:25:11 | 00,389,120 | ---- | C] (Microsoft Corporation)
Malwarebytes -> C:\Documents and Settings\Administrator\Application Data\Malwarebytes -> [2009/08/27 22:11:23 | 00,000,000 | ---D | C]
malware.lnk -> C:\Documents and Settings\All Users\Desktop\malware.lnk -> [2009/08/27 22:11:22 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/08/27 22:11:19 | 00,038,160 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/08/27 22:11:18 | 00,019,096 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2009/08/27 22:11:18 | 00,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2009/08/27 22:11:18 | 00,000,000 | ---D | C]
CF5798.exe -> C:\WINDOWS\System32\CF5798.exe -> [2009/08/27 22:02:52 | 00,389,120 | ---- | C] (Microsoft Corporation)
Boot.bak -> C:\Boot.bak -> [2009/08/27 21:58:14 | 00,000,232 | ---- | C] ()
cmldr -> C:\cmldr -> [2009/08/27 21:58:09 | 00,260,272 | ---- | C] ()
cmdcons -> C:\cmdcons -> [2009/08/27 21:58:08 | 00,000,000 | RHSD | C]
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/08/27 21:57:06 | 00,229,376 | ---- | C] ()
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2009/08/27 21:57:06 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2009/08/27 21:57:06 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2009/08/27 21:57:06 | 00,136,704 | ---- | C] (SteelWerX)
sed.exe -> C:\WINDOWS\sed.exe -> [2009/08/27 21:57:06 | 00,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2009/08/27 21:57:06 | 00,080,412 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2009/08/27 21:57:06 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2009/08/27 21:57:06 | 00,031,232 | ---- | C] (NirSoft)
ERDNT -> C:\WINDOWS\ERDNT -> [2009/08/27 21:56:49 | 00,000,000 | ---D | C]
CF4609.exe -> C:\WINDOWS\System32\CF4609.exe -> [2009/08/27 21:56:47 | 00,389,120 | ---- | C] (Microsoft Corporation)
Qoobox -> C:\Qoobox -> [2009/08/27 21:56:40 | 00,000,000 | ---D | C]
rsit -> C:\rsit -> [2009/08/27 19:37:50 | 00,000,000 | ---D | C]
HijackThis.lnk -> C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk -> [2009/08/25 12:36:27 | 00,001,734 | ---- | C] ()
Trend Micro -> C:\Program Files\Trend Micro -> [2009/08/25 12:36:27 | 00,000,000 | ---D | C]
Mozilla Firefox.lnk -> C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk -> [2009/08/24 21:45:19 | 00,001,602 | ---- | C] ()
bookmarkbackups -> C:\Documents and Settings\Administrator\Desktop\bookmarkbackups -> [2009/08/24 21:40:21 | 00,000,000 | ---D | C]
Bookmarks 2009-08-24.json -> C:\Documents and Settings\Administrator\Desktop\Bookmarks 2009-08-24.json -> [2009/08/24 21:39:31 | 00,074,646 | ---- | C] ()
CCleaner.lnk -> C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk -> [2009/08/23 23:07:51 | 00,001,548 | ---- | C] ()
CCleaner -> C:\Program Files\CCleaner -> [2009/08/23 23:07:51 | 00,000,000 | ---D | C]
wininit.ini -> C:\WINDOWS\wininit.ini -> [2009/08/23 22:18:18 | 00,002,334 | ---- | C] ()
Spybot - Search & Destroy.lnk -> C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk -> [2009/08/23 22:06:38 | 00,000,933 | ---- | C] ()
Spybot - Search & Destroy -> C:\Program Files\Spybot - Search & Destroy -> [2009/08/23 22:06:35 | 00,000,000 | ---D | C]
Spybot - Search & Destroy -> C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy -> [2009/08/23 22:06:35 | 00,000,000 | ---D | C]
Age of Empires II.lnk -> C:\Documents and Settings\Administrator\Desktop\Age of Empires II.lnk -> [2009/08/23 17:24:34 | 00,001,819 | ---- | C] ()
Microsoft Games -> C:\Program Files\Microsoft Games -> [2009/08/23 17:22:51 | 00,000,000 | ---D | C]
Your Company Name -> C:\Program Files\Your Company Name -> [2009/08/23 16:57:38 | 00,000,000 | ---D | C]
ntuser.pol -> C:\Documents and Settings\Administrator\ntuser.pol -> [2009/08/23 13:47:36 | 00,000,452 | RHS- | C] ()
GroupPolicy -> C:\WINDOWS\System32\GroupPolicy -> [2009/08/23 13:46:49 | 00,000,000 | -H-D | C]
pss -> C:\WINDOWS\pss -> [2009/08/23 10:09:31 | 00,000,000 | ---D | C]
BullGuard -> C:\Documents and Settings\All Users\Application Data\BullGuard -> [2009/08/22 20:27:31 | 00,000,000 | ---D | C]
BullGuard -> C:\Documents and Settings\Administrator\Application Data\BullGuard -> [2009/08/22 20:27:29 | 00,000,000 | ---D | C]
BullGuard.lnk -> C:\Documents and Settings\All Users\Desktop\BullGuard.lnk -> [2009/08/22 20:27:23 | 00,000,838 | ---- | C] ()
Alwil Software -> C:\Program Files\Alwil Software -> [2009/08/22 19:34:53 | 00,000,000 | ---D | C]
AVG -> C:\Program Files\AVG -> [2009/08/22 18:53:25 | 00,000,000 | ---D | C]
Snuhacokuvomuy.dat -> C:\WINDOWS\Snuhacokuvomuy.dat -> [2009/08/22 18:49:57 | 00,000,120 | ---- | C] ()
{FDE180A3-C4F5-4D5A-B889-16C2669E1E61} -> C:\Documents and Settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61} -> [2009/08/22 18:49:56 | 00,000,000 | ---D | C]
57852f5b.sys -> C:\WINDOWS\System32\drivers\57852f5b.sys -> [2009/08/22 18:46:16 | 00,000,000 | ---- | C] ()
E88D4.exe -> C:\WINDOWS\E88D4.exe -> [2009/08/22 18:30:48 | 00,005,095 | -HS- | C] ()
Hagel Technologies -> C:\Documents and Settings\All Users\Application Data\Hagel Technologies -> [2009/08/22 18:21:58 | 00,000,000 | ---D | C]
DU Meter -> C:\Program Files\DU Meter -> [2009/08/22 18:21:56 | 00,000,000 | ---D | C]
METAL GEAR SOLID2 SUBSTANCE.lnk -> C:\Documents and Settings\All Users\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk -> [2009/08/22 18:11:41 | 00,000,972 | ---- | C] ()
KONAMI -> C:\Program Files\KONAMI -> [2009/08/22 18:04:28 | 00,000,000 | ---D | C]
Microsoft AutoRoute.lnk -> C:\Documents and Settings\Administrator\Desktop\Microsoft AutoRoute.lnk -> [2009/08/03 22:39:07 | 00,002,399 | ---- | C] ()
Microsoft AutoRoute -> C:\Program Files\Microsoft AutoRoute -> [2009/08/03 19:56:22 | 00,000,000 | ---D | C]
AskToolbar -> C:\Documents and Settings\Administrator\Local Settings\Application Data\AskToolbar -> [2009/08/01 19:21:38 | 00,000,000 | ---D | C]
Backup - Clik Service.lnk -> C:\Documents and Settings\Administrator\Desktop\Backup - Clik Service.lnk -> [2009/08/01 16:47:59 | 00,001,589 | ---- | C] ()
Clik Service.lnk -> C:\Documents and Settings\Administrator\Desktop\Clik Service.lnk -> [2009/08/01 16:47:59 | 00,001,577 | ---- | C] ()
SdoEng100.dll -> C:\WINDOWS\System32\SdoEng100.dll -> [2009/08/01 16:47:50 | 00,532,480 | ---- | C] (Sage (UK) Limited)
SdoEng90.dll -> C:\WINDOWS\System32\SdoEng90.dll -> [2009/08/01 16:47:50 | 00,507,904 | ---- | C] (Sage (UK) Limited)
SdoEng80.dll -> C:\WINDOWS\System32\SdoEng80.dll -> [2009/08/01 16:47:50 | 00,471,040 | ---- | C] (Sage (UK) Limited)
SdoEng70.dll -> C:\WINDOWS\System32\SdoEng70.dll -> [2009/08/01 16:47:50 | 00,454,656 | ---- | C] (The Sage Group plc)
SGRegister.dll -> C:\WINDOWS\System32\SGRegister.dll -> [2009/08/01 16:47:50 | 00,122,880 | ---- | C] (Sage Software Limited)
Sgdt32.dll -> C:\WINDOWS\System32\Sgdt32.dll -> [2009/08/01 16:47:50 | 00,073,728 | ---- | C] ()
SdoEng110.dll -> C:\WINDOWS\System32\SdoEng110.dll -> [2009/08/01 16:47:48 | 01,089,536 | ---- | C] (Sage (UK) Limited)
SDOApp.dll -> C:\WINDOWS\System32\SDOApp.dll -> [2009/08/01 16:47:48 | 00,253,952 | ---- | C] ()
Sdoeng.dll -> C:\WINDOWS\System32\Sdoeng.dll -> [2009/08/01 16:47:48 | 00,227,840 | ---- | C] (The Sage Group plc)
Sgcom32.dll -> C:\WINDOWS\System32\Sgcom32.dll -> [2009/08/01 16:47:48 | 00,086,016 | ---- | C] ()
SdoEng120.dll -> C:\WINDOWS\System32\SdoEng120.dll -> [2009/08/01 16:47:46 | 02,785,280 | ---- | C] (Sage (UK) Limited)
Clik -> C:\Program Files\Clik -> [2009/08/01 16:47:21 | 00,000,000 | ---D | C]
GECKOS.INI -> C:\WINDOWS\GECKOS.INI -> [2009/06/19 18:50:27 | 00,000,070 | ---- | C] ()
sdsip.dll -> C:\WINDOWS\System32\sdsip.dll -> [2009/04/30 16:29:16 | 00,000,010 | ---- | C] ()
easycert.INI -> C:\WINDOWS\easycert.INI -> [2009/04/15 18:54:19 | 00,000,028 | ---- | C] ()
WBHelps21.dll -> C:\WINDOWS\System32\WBHelps21.dll -> [2009/04/15 18:44:03 | 00,000,008 | ---- | C] ()
PTQL5F.DLL -> C:\WINDOWS\System32\PTQL5F.DLL -> [2009/03/22 15:08:44 | 00,061,440 | ---- | C] ()
PTQL5L.INI -> C:\WINDOWS\System32\PTQL5L.INI -> [2009/03/22 15:08:44 | 00,001,235 | ---- | C] ()
SP7302.INI -> C:\WINDOWS\System32\SP7302.INI -> [2009/03/14 22:00:09 | 00,000,566 | ---- | C] ()
DLPORTIO.SYS -> C:\WINDOWS\System32\drivers\DLPORTIO.SYS -> [2009/03/14 11:48:48 | 00,003,584 | ---- | C] ()
cx21sl3.dll -> C:\WINDOWS\System32\cx21sl3.dll -> [2009/03/12 17:57:07 | 00,022,723 | ---- | C] ()
Primomonnt.dll -> C:\WINDOWS\System32\Primomonnt.dll -> [2009/03/07 20:08:55 | 00,176,235 | ---- | C] ()
nvwdmcpl.dll -> C:\WINDOWS\System32\nvwdmcpl.dll -> [2009/02/18 15:44:00 | 01,724,416 | ---- | C] ()
nview.dll -> C:\WINDOWS\System32\nview.dll -> [2009/02/18 15:44:00 | 01,507,328 | ---- | C] ()
nvwimg.dll -> C:\WINDOWS\System32\nvwimg.dll -> [2009/02/18 15:44:00 | 01,101,824 | ---- | C] ()
nvshell.dll -> C:\WINDOWS\System32\nvshell.dll -> [2009/02/18 15:44:00 | 00,466,944 | ---- | C] ()
primopdf.ini -> C:\WINDOWS\primopdf.ini -> [2008/04/28 18:13:33 | 00,000,310 | ---- | C] ()
CopyToSendTo.dll -> C:\WINDOWS\System32\CopyToSendTo.dll -> [2008/04/14 11:00:00 | 00,061,440 | ---- | C] ()
las31l71.dll -> C:\WINDOWS\las31l71.dll -> [2008/04/14 11:00:00 | 00,045,056 | ---- | C] ()
win.ini -> C:\WINDOWS\win.ini -> [2008/04/14 11:00:00 | 00,000,800 | ---- | C] ()
system.ini -> C:\WINDOWS\system.ini -> [2008/04/14 11:00:00 | 00,000,227 | ---- | C] ()
HMTCD.dll -> C:\WINDOWS\System32\HMTCD.dll -> [2003/09/23 13:40:34 | 00,394,240 | ---- | C] ()
iyvu9_32.dll -> C:\WINDOWS\System32\iyvu9_32.dll -> [1997/06/14 01:56:08 | 00,056,832 | ---- | C] ()
giveio.sys -> C:\WINDOWS\System32\giveio.sys -> [1996/04/03 20:33:26 | 00,005,248 | ---- | C] ()
[Files/Folders - Modified Within 30 Days]
7 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
nvapps.xml -> C:\WINDOWS\System32\nvapps.xml -> [2009/08/29 14:05:14 | 00,212,641 | ---- | M] ()
Perflib_Perfdata_7f8.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_7f8.dat -> [2009/08/29 14:05:12 | 00,016,384 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2009/08/29 14:04:30 | 00,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2009/08/29 14:04:28 | 00,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2009/08/29 14:04:27 | 21,468,16000 | -HS- | M] ()
CF17295.exe -> C:\WINDOWS\System32\CF17295.exe -> [2009/08/29 14:02:42 | 00,389,120 | ---- | M] (Microsoft Corporation)
CleanMe.exe -> C:\Documents and Settings\Administrator\Desktop\CleanMe.exe -> [2009/08/29 14:02:28 | 03,188,248 | R--- | M] ()
CF17149.exe -> C:\WINDOWS\System32\CF17149.exe -> [2009/08/29 14:01:57 | 00,389,120 | ---- | M] (Microsoft Corporation)
Scheduled Update for Ask Toolbar.job -> C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job -> [2009/08/29 14:01:00 | 00,000,250 | ---- | M] ()
NTUSER.DAT -> C:\Documents and Settings\Administrator\NTUSER.DAT -> [2009/08/29 13:00:38 | 04,456,448 | -H-- | M] ()
ntuser.ini -> C:\Documents and Settings\Administrator\ntuser.ini -> [2009/08/28 23:03:06 | 00,000,178 | -HS- | M] ()
OTS.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2009/08/28 22:53:08 | 00,514,048 | ---- | M] (OldTimer Tools)
Perflib_Perfdata_768.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_768.dat -> [2009/08/28 22:48:21 | 00,016,384 | ---- | M] ()
Bookmarks 2009-08-28.json -> C:\Documents and Settings\Administrator\Desktop\Bookmarks 2009-08-28.json -> [2009/08/28 22:32:02 | 00,073,761 | ---- | M] ()
Perflib_Perfdata_25c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_25c.dat -> [2009/08/28 22:08:31 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_624.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_624.dat -> [2009/08/28 21:48:32 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_170.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_170.dat -> [2009/08/28 19:41:47 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_308.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_308.dat -> [2009/08/28 19:33:34 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_7f4.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_7f4.dat -> [2009/08/28 18:18:15 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_614.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_614.dat -> [2009/08/28 18:16:17 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_704.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_704.dat -> [2009/08/28 18:16:13 | 00,016,384 | ---- | M] ()
CF13640.exe -> C:\WINDOWS\System32\CF13640.exe -> [2009/08/28 18:13:23 | 00,389,120 | ---- | M] (Microsoft Corporation)
CF12990.exe -> C:\WINDOWS\System32\CF12990.exe -> [2009/08/28 18:10:03 | 00,389,120 | ---- | M] (Microsoft Corporation)
CF14402.exe -> C:\WINDOWS\System32\CF14402.exe -> [2009/08/28 15:30:00 | 00,389,120 | ---- | M] (Microsoft Corporation)
CF14225.exe -> C:\WINDOWS\System32\CF14225.exe -> [2009/08/28 15:29:07 | 00,389,120 | ---- | M] (Microsoft Corporation)
CF13416.exe -> C:\WINDOWS\System32\CF13416.exe -> [2009/08/28 15:24:59 | 00,389,120 | ---- | M] (Microsoft Corporation)
vpcimxnoqx.exe -> C:\WINDOWS\Temp\vpcimxnoqx.exe -> [2009/08/27 22:21:01 | 00,061,440 | ---- | M] (Microsoft Corporation)
malware.lnk -> C:\Documents and Settings\All Users\Desktop\malware.lnk -> [2009/08/27 22:11:22 | 00,000,696 | ---- | M] ()
index.dat -> C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat -> [2009/08/27 22:06:25 | 00,032,768 | ---- | M] ()
index.dat -> C:\WINDOWS\Temp\History\History.IE5\index.dat -> [2009/08/27 22:06:25 | 00,016,384 | ---- | M] ()
index.dat -> C:\WINDOWS\Temp\Cookies\index.dat -> [2009/08/27 22:06:25 | 00,016,384 | ---- | M] ()
CF5798.exe -> C:\WINDOWS\System32\CF5798.exe -> [2009/08/27 22:02:40 | 00,389,120 | ---- | M] (Microsoft Corporation)
boot.ini -> C:\boot.ini -> [2009/08/27 21:58:14 | 00,000,302 | RHS- | M] ()
CF4609.exe -> C:\WINDOWS\System32\CF4609.exe -> [2009/08/27 21:56:36 | 00,389,120 | ---- | M] (Microsoft Corporation)
57852f5b.sys -> C:\WINDOWS\System32\drivers\57852f5b.sys -> [2009/08/27 19:53:30 | 00,000,000 | ---- | M] ()
Perflib_Perfdata_630.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_630.dat -> [2009/08/27 19:50:07 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_638.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_638.dat -> [2009/08/27 19:44:40 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_188.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_188.dat -> [2009/08/27 19:33:13 | 00,016,384 | ---- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2009/08/27 19:10:09 | 00,002,206 | ---- | M] ()
pesvbqmois.exe -> C:\WINDOWS\Temp\pesvbqmois.exe -> [2009/08/26 18:21:28 | 00,092,160 | ---- | M] ()
wininit.ini -> C:\WINDOWS\wininit.ini -> [2009/08/25 12:56:31 | 00,002,334 | ---- | M] ()
ritnvrabvp.exe -> C:\WINDOWS\Temp\ritnvrabvp.exe -> [2009/08/25 12:47:45 | 00,096,256 | ---- | M] ()
HijackThis.lnk -> C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk -> [2009/08/25 12:36:27 | 00,001,734 | ---- | M] ()
pool.bin -> C:\WINDOWS\System32\pool.bin -> [2009/08/25 12:33:18 | 00,000,256 | ---- | M] ()
Mozilla Firefox.lnk -> C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk -> [2009/08/24 21:45:19 | 00,001,602 | ---- | M] ()
Bookmarks 2009-08-24.json -> C:\Documents and Settings\Administrator\Desktop\Bookmarks 2009-08-24.json -> [2009/08/24 21:39:31 | 00,074,646 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/08/24 17:39:05 | 00,100,944 | ---- | M] ()
FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2009/08/24 17:29:38 | 00,370,488 | ---- | M] ()
IconCache.db -> C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db -> [2009/08/23 23:12:07 | 03,706,996 | -H-- | M] ()
CCleaner.lnk -> C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk -> [2009/08/23 23:07:51 | 00,001,548 | ---- | M] ()
Snuhacokuvomuy.dat -> C:\WINDOWS\Snuhacokuvomuy.dat -> [2009/08/23 22:19:49 | 00,000,120 | ---- | M] ()
Spybot - Search & Destroy.lnk -> C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk -> [2009/08/23 22:06:38 | 00,000,933 | ---- | M] ()
Age of Empires II.lnk -> C:\Documents and Settings\Administrator\Desktop\Age of Empires II.lnk -> [2009/08/23 17:24:34 | 00,001,819 | ---- | M] ()
ntuser.pol -> C:\Documents and Settings\Administrator\ntuser.pol -> [2009/08/23 14:27:28 | 00,000,452 | RHS- | M] ()
Perflib_Perfdata_618.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_618.dat -> [2009/08/23 10:16:22 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_908.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_908.dat -> [2009/08/23 10:15:57 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_af0.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_af0.dat -> [2009/08/23 10:12:53 | 00,016,384 | ---- | M] ()
win.ini -> C:\WINDOWS\win.ini -> [2009/08/23 10:10:42 | 00,000,800 | ---- | M] ()
Boot.bak -> C:\Boot.bak -> [2009/08/23 10:10:42 | 00,000,232 | ---- | M] ()
system.ini -> C:\WINDOWS\system.ini -> [2009/08/23 10:10:42 | 00,000,227 | ---- | M] ()
Perflib_Perfdata_77c.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_77c.dat -> [2009/08/23 10:00:25 | 00,016,384 | ---- | M] ()
Perflib_Perfdata_824.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_824.dat -> [2009/08/23 10:00:20 | 00,016,384 | ---- | M] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/08/23 03:09:13 | 00,229,376 | ---- | M] ()
CONFIG.NT -> C:\WINDOWS\System32\CONFIG.NT -> [2009/08/22 20:35:38 | 00,002,577 | ---- | M] ()
BullGuard.lnk -> C:\Documents and Settings\All Users\Desktop\BullGuard.lnk -> [2009/08/22 20:27:23 | 00,000,838 | ---- | M] ()
setupeng.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\_av_inet.tm~a05532\setupeng.exe -> [2009/08/22 19:32:39 | 37,778,896 | ---- | M] ()
trialkey.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\trialkey.dat -> [2009/08/22 19:18:46 | 00,000,070 | ---- | M] ()
avgdm85_packmap_free_0409.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\avgdm85_packmap_free_0409.dat -> [2009/08/22 19:18:35 | 00,003,022 | ---- | M] ()
freekeys.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\freekeys.dat -> [2009/08/22 19:18:35 | 00,000,529 | ---- | M] ()
avgdm85_prodmap_pro_0409.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\avgdm85_prodmap_pro_0409.dat -> [2009/08/22 19:18:29 | 00,002,911 | ---- | M] ()
avgdm85_prodmap_free_0409.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\avgdm85_prodmap_free_0409.dat -> [2009/08/22 19:18:29 | 00,002,911 | ---- | M] ()
avgdm85_prodmap_sals_0356.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\avgdm85_prodmap_sals_0356.dat -> [2009/08/22 19:18:29 | 00,002,910 | ---- | M] ()
avgrsa.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\34\avgrsa.exe -> [2009/08/22 18:53:29 | 01,013,528 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsx.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\34\avgrsx.exe -> [2009/08/22 18:53:29 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrssta.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\34\avgrssta.dll -> [2009/08/22 18:53:29 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgrsstx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\34\avgrsstx.dll -> [2009/08/22 18:53:29 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcorex.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\4\avgcorex.dll -> [2009/08/22 18:53:28 | 02,062,104 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcsrvx.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\4\avgcsrvx.exe -> [2009/08/22 18:53:28 | 00,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcrlpx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\4\avgcrlpx.dll -> [2009/08/22 18:53:28 | 00,070,424 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcclix.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\4\avgcclix.dll -> [2009/08/22 18:53:27 | 00,418,072 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgclitx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\4\avgclitx.dll -> [2009/08/22 18:53:27 | 00,390,424 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgsea.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\36\avgsea.dll -> [2009/08/22 18:53:27 | 00,188,184 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgse.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\36\avgse.dll -> [2009/08/22 18:53:27 | 00,114,968 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgxch32.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\11\avgxch32.dll -> [2009/08/22 18:53:26 | 00,354,072 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgoff2k.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\7\avgoff2k.dll -> [2009/08/22 18:53:26 | 00,264,984 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgscanx.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgscanx.exe -> [2009/08/22 18:53:25 | 00,761,624 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgvvx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgvvx.dll -> [2009/08/22 18:53:25 | 00,515,864 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdwsc.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgwdwsc.dll -> [2009/08/22 18:53:25 | 00,423,424 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgscanx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgscanx.dll -> [2009/08/22 18:53:25 | 00,339,736 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmvflx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgmvflx.dll -> [2009/08/22 18:53:25 | 00,305,944 | ---- | M] (AVG Technologies CZ, s.r.o.)
avg7api.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avg7api.dll -> [2009/08/22 18:53:25 | 00,222,488 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgmail.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\15\avgmail.dll -> [2009/08/22 18:53:25 | 00,177,432 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgxpl.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgxpl.dll -> [2009/08/22 18:52:01 | 01,008,920 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcmgr.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgcmgr.exe -> [2009/08/22 18:52:01 | 00,845,080 | ---- | M] (AVG Technologies CZ, s.r.o.)
avglvex.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avglvex.dll -> [2009/08/22 18:52:01 | 00,197,912 | ---- | M] (AVG Technologies CZ, s.r.o.)
sporder.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\sporder.dll -> [2009/08/22 18:52:01 | 00,008,464 | ---- | M] (Microsoft Corporation)
sb2.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\sb2.dat -> [2009/08/22 18:52:01 | 00,002,588 | ---- | M] ()
cf.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\cf.dat -> [2009/08/22 18:52:01 | 00,000,204 | ---- | M] ()
ph.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\ph.dat -> [2009/08/22 18:52:01 | 00,000,120 | ---- | M] ()
avgwd.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgwd.dll -> [2009/08/22 18:52:00 | 01,262,368 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgssie.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgssie.dll -> [2009/08/22 18:52:00 | 01,111,320 | ---- | M] (AVG Technologies CZ, s.r.o.)
dbghelp.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\dbghelp.dll -> [2009/08/22 18:52:00 | 01,045,128 | ---- | M] (Microsoft Corporation)
avgssff.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgssff.dll -> [2009/08/22 18:52:00 | 01,033,496 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgsrmx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgsrmx.dll -> [2009/08/22 18:52:00 | 00,681,240 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgnsx.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgnsx.exe -> [2009/08/22 18:52:00 | 00,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgsched.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgsched.dll -> [2009/08/22 18:52:00 | 00,530,712 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtbapi.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgtbapi.dll -> [2009/08/22 18:52:00 | 00,493,848 | ---- | M] (AVG Technologies CZ, s.r.o.)
fixcfg.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\fixcfg.exe -> [2009/08/22 18:52:00 | 00,423,192 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgsrmax.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgsrmax.exe -> [2009/08/22 18:52:00 | 00,341,272 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgwdsvc.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgwdsvc.exe -> [2009/08/22 18:52:00 | 00,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.)
dfncfg.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\dfncfg.dat -> [2009/08/22 18:52:00 | 00,088,863 | ---- | M] ()
avgpp.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgpp.dll -> [2009/08/22 18:52:00 | 00,087,320 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgupd.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgupd.dll -> [2009/08/22 18:51:59 | 01,475,352 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgapix.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgapix.dll -> [2009/08/22 18:51:59 | 01,262,872 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgupd.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgupd.exe -> [2009/08/22 18:51:59 | 01,165,592 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcfgx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgcfgx.dll -> [2009/08/22 18:51:59 | 00,836,888 | ---- | M] (AVG Technologies CZ, s.r.o.)
avginet.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avginet.dll -> [2009/08/22 18:51:59 | 00,758,040 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgcfgex.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgcfgex.exe -> [2009/08/22 18:51:59 | 00,730,392 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgiproxy.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgiproxy.exe -> [2009/08/22 18:51:59 | 00,587,032 | ---- | M] (AVG Technologies CZ, s.r.o.)
avglogx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avglogx.dll -> [2009/08/22 18:51:59 | 00,337,176 | ---- | M] (AVG Technologies CZ, s.r.o.)
avglngx.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avglngx.dll -> [2009/08/22 18:51:59 | 00,310,552 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgamnot.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgamnot.dll -> [2009/08/22 18:51:59 | 00,271,640 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgdumpx.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgdumpx.exe -> [2009/08/22 18:51:59 | 00,100,120 | ---- | M] (AVG Technologies CZ, s.r.o.)
setup.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\setup.exe -> [2009/08/22 18:51:58 | 03,299,608 | ---- | M] (AVG Technologies CZ, s.r.o.)
setup.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\setup.dat -> [2009/08/22 18:51:58 | 01,092,424 | ---- | M] ()
avgui.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgui.exe -> [2009/08/22 18:51:57 | 03,497,240 | ---- | M] (AVG Technologies CZ, s.r.o.)
avguires.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avguires.dll -> [2009/08/22 18:51:57 | 02,808,600 | ---- | M] (AVG Technologies CZ, s.r.o.)
avguiadv.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avguiadv.dll -> [2009/08/22 18:51:57 | 02,308,888 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgtray.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgtray.exe -> [2009/08/22 18:51:57 | 02,007,832 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgresf.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgresf.dll -> [2009/08/22 18:51:56 | 02,352,920 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgfrw.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgfrw.exe -> [2009/08/22 18:51:56 | 01,217,816 | ---- | M] (AVG Technologies CZ, s.r.o.)
avgabout.dll -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\avgabout.dll -> [2009/08/22 18:51:56 | 01,209,112 | ---- | M] (AVG Technologies CZ, s.r.o.)
afuinst64.dat -> C:\Documents and Settings\Administrator\Local Settings\Temp\AVGDownloadManager\packages\35\afuinst64.dat -> [2009/08/22 18:51:56 | 00,317,440 | ---- | M] ()
E88D4.exe -> C:\WINDOWS\E88D4.exe -> [2009/08/22 18:46:02 | 00,005,095 | -HS- | M] ()
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/08/22 18:38:27 | 00,005,371 | ---- | M] ()
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/08/22 18:37:28 | 00,006,510 | ---- | M] ()
METAL GEAR SOLID2 SUBSTANCE.lnk -> C:\Documents and Settings\All Users\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk -> [2009/08/22 18:11:41 | 00,000,972 | ---- | M] ()
Perflib_Perfdata_7fc.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_7fc.dat -> [2009/08/22 09:29:24 | 00,016,384 | ---- | M] ()
Excel 2007.lnk -> C:\Documents and Settings\Administrator\Desktop\Excel 2007.lnk -> [2009/08/18 17:11:37 | 00,002,473 | ---- | M] ()
PrimoPDFSet.xml -> C:\Documents and Settings\Administrator\Application Data\PrimoPDFSet.xml -> [2009/08/17 17:20:51 | 00,006,491 | ---- | M] ()
Microsoft Office Access 2007.lnk -> C:\Documents and Settings\Administrator\Desktop\Microsoft Office Access 2007.lnk -> [2009/08/13 15:58:43 | 00,002,471 | ---- | M] ()
Word 2007.lnk -> C:\Documents and Settings\Administrator\Desktop\Word 2007.lnk -> [2009/08/06 12:51:46 | 00,002,515 | ---- | M] ()
Microsoft AutoRoute.lnk -> C:\Documents and Settings\Administrator\Desktop\Microsoft AutoRoute.lnk -> [2009/08/03 22:39:09 | 00,002,399 | ---- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation)
Backup - Clik Service.lnk -> C:\Documents and Settings\Administrator\Desktop\Backup - Clik Service.lnk -> [2009/08/01 16:47:59 | 00,001,589 | ---- | M] ()
Clik Service.lnk -> C:\Documents and Settings\Administrator\Desktop\Clik Service.lnk -> [2009/08/01 16:47:59 | 00,001,577 | ---- | M] ()
opa12.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat -> [2009/03/12 19:23:56 | 00,008,206 | ---- | M] ()
avenger.exe -> C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$EX00.547\avenger.exe -> [2008/05/30 23:09:46 | 00,731,136 | ---- | M] ()
< End of report >
[/code]
Open OTScanIt. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Driver Services - Safe List]
YN -> (57852f5b) 57852f5b [Kernel | System | Stopped] -> C:\WINDOWS\System32\drivers\57852f5b.sys
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "avast!" -> C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe]
YN -> "AVG8_TRAY" -> C:\PROGRA~1\AVG\AVG8\avgtray.exe [C:\PROGRA~1\AVG\AVG8\avgtray.exe]
YN -> "UnlockerAssistant" -> C:\Program Files\Unlocker\UnlockerAssistant.exe [C:\Program Files\Unlocker\UnlockerAssistant.exe -H]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {86D4B82A-ABED-442A-BE86-96357B70F4FE} -> Ask Toolbar
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp
NY -> CleanMe -> C:\CleanMe
NY -> CF17295.exe -> C:\WINDOWS\System32\CF17295.exe
NY -> CF17149.exe -> C:\WINDOWS\System32\CF17149.exe
NY -> ComboFix -> C:\ComboFix
NY -> CF13640.exe -> C:\WINDOWS\System32\CF13640.exe
NY -> CF12990.exe -> C:\WINDOWS\System32\CF12990.exe
NY -> CleanMe.exe -> C:\Documents and Settings\Administrator\Desktop\CleanMe.exe
NY -> CF14402.exe -> C:\WINDOWS\System32\CF14402.exe
NY -> CF14225.exe -> C:\WINDOWS\System32\CF14225.exe
NY -> CF13416.exe -> C:\WINDOWS\System32\CF13416.exe
NY -> CF5798.exe -> C:\WINDOWS\System32\CF5798.exe
NY -> CF4609.exe -> C:\WINDOWS\System32\CF4609.exe
NY -> 57852f5b.sys -> C:\WINDOWS\System32\drivers\57852f5b.sys
NY -> E88D4.exe -> C:\WINDOWS\E88D4.exe
[Files/Folders - Modified Within 30 Days]
NY -> CF17295.exe -> C:\WINDOWS\System32\CF17295.exe
NY -> CleanMe.exe -> C:\Documents and Settings\Administrator\Desktop\CleanMe.exe
NY -> CF17149.exe -> C:\WINDOWS\System32\CF17149.exe
NY -> CF13640.exe -> C:\WINDOWS\System32\CF13640.exe
NY -> CF12990.exe -> C:\WINDOWS\System32\CF12990.exe
NY -> CF14402.exe -> C:\WINDOWS\System32\CF14402.exe
NY -> CF14225.exe -> C:\WINDOWS\System32\CF14225.exe
NY -> CF13416.exe -> C:\WINDOWS\System32\CF13416.exe
NY -> CF5798.exe -> C:\WINDOWS\System32\CF5798.exe
NY -> CF4609.exe -> C:\WINDOWS\System32\CF4609.exe
NY -> 57852f5b.sys -> C:\WINDOWS\System32\drivers\57852f5b.sys
NY -> pesvbqmois.exe -> C:\WINDOWS\Temp\pesvbqmois.exe
NY -> ritnvrabvp.exe -> C:\WINDOWS\Temp\ritnvrabvp.exe
[Empty Temp Folders]
The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.
Warning: This fix is for this user only. DO NOT duplicate this fix or you risk damaging your own system
Please post a fresh sysprot log also
OTS bit done.
Sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsdjnkvxf.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8929B6DA
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 892A56DA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89EFB61C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 8A271E8C
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89FD50CB
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 892DD6DB
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
----------------------------------------------------------------------------------------
Step 1
Start Sysprot
Click the "Kernel Modules" tab.
Click the following lines (in red) and then click Disable
\systemroot\system32\drivers\kbiwkmsdjnkvxf.sys ------ kbiwkmpkbmwnli
Reboot the machine
Repeat steps 1 to 4 (SysProt AntiRootkit will detect the same rootkit driver again)
----------------------------------------------------------------------------------------
Step 2
Malwarebytes' Anti-Malware
Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Malwarebytes' Anti-Malware 1.40
Database version: 2713
Windows 5.1.2600 Service Pack 3
29/08/2009 19:23:31
mbam-log-2009-08-29 (19-23-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 272376
Time elapsed: 18 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Download a fresh copy of Combofix to your desktop and do the following.
Run ComboFix using these instructions:
Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.
"%userprofile%\desktop\combofix.exe" /killall
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
If it still doesn't run, please post a fresh Sysprot log
it wont open from the run command. it says 'windows cannot find c:\....' make you typed the name correctly etc.
if i double click the desktop icon, it comes up with the windows security warning saying publisher could not be verified. i clicked cancel to that, not sure if you want me to run it from there?
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it runcf.bat Please save it on your desktop. (Next to Combofix)
@echo off
CD %~dp0
if not exist Combofix.exe (@Echo File Not found >>"%Temp%\log.txt"&&Pause&&goto End)
Combofix /Killall
DEl /q %0
:End
notepad "%Temp%\log.txt" & del log.txt
del /q %0
Double click on runcf.bat
if Combofix starts to run, please follow the on screen prompts
i found the reason the run command wouldnt work... when i downloaded a new combofix, i made a shortcut to it on the desktop rather than move the file. once moved, run command worked. but i still get a blue screen. i also tried the bat file and still get a blue screen
Avenger
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Please download The Avenger2 by SwanDog46 (http://swandog46.geekstogo.com/avenger.zip).
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Drivers to disable:
kbiwkmpkbmwnli
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Please post the Avenger log along with a fresh Sysprot log
ran avenger, but no command promt of log was produced
new sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \SystemRoot\system32\drivers\aqix.sys
Service Name: ---
Module Base: B6190000
Module End: B619F000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A08521A
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0751FA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 89FF812C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 88FD7634
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 892186DB
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 892026DB
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
This is being stubborn !!!
What happened the last time you tried GMER ?
Did any error messages appear ?
Open the gmer folder and double click gmer.exe to run the program
On starting GMER will run a short scan, allow it to complete this, then click No if it asks you to run a full scan.
Click on the > > > tab to open the menus
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER1.jpg
Click on the Services tab
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER_Services_Tab.jpg
Scroll down until you find the following Service (Note: This may be highlighted in red)
kbiwkmpkbmwnli
Click on the Service Name to Highlight it, then right click and choose Delete...
http://i348.photobucket.com/albums/q323/RatHatG2G/GMER_Delete_Service.jpg
Click OK at the first confirmation dialog to remove the service
Click OK to the second confirmation dialog to remove the file
Click OK to exit the program
Please post a fresh Sysprot log from after running GMER, and let me know what happens during the GMER instructions.
last time i ran GMER, everything went according to your instructions. no extra messages appeared or anything not in your instructions.
same again this time
it just doesnt want to give up!
new sysprot log
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfqrnmsjp.sys
Service Name: kbiwkmpkbmwnli
Module Base: ---
Module End: ---
Hidden: Yes
Module Name: \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys
Service Name: aujasnkj
Module Base: AB89A000
Module End: AB8AF000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8065628D
Jump To: 8A017152
Module Name: _unknown_
Hooked Function: ZwSaveKey
At Address: 806561A2
Jump To: 8A0201CA
Module Name: _unknown_
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 8A02124C
Module Name: _unknown_
Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 8A01A26C
Module Name: _unknown_
Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 89E497BB
Module Name: _unknown_
Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 8A0814A3
Module Name: _unknown_
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
A colleague has offered a suggestion, so let's give it a twirl.
It's GMER again, but a little bit different.
1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click kbiwk********* and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.
Anything is worth a try.
done that, and restarted. after opening GMER again, it says about rootkit activity and do i want to scan, i selected no and kbiw... is still highlighted in red, but under 'value', it says '[DISABLED] kbiw...'
Combofix next?
Combofix next?
Can you say "Yes" repeatedly and getting higher pitched in excitement ? :eek:
>calms down a bit<
Yes please, try running Combofix now. :bigthumb:
Can you say "Yes" repeatedly and getting higher pitched in excitement ? :eek:
>calms down a bit<
Yes please, try running Combofix now. :bigthumb:
i think you can be excited... disabling the file rather than deleting seems to have worked, and combofix ran with no problems. since running malware bytes, computer seemed much better, except firefox was still slow to load, its now back to normal, and everything else appears as it was before (well, much better than before!)
combofix log
ComboFix 09-08-30.01 - Administrator 30/08/2009 21:45.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1596 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{FDE180A3-C4F5-4D5A-B889-16C2669E1E61}\install.rdf
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1077
c:\recycler\S-1-5-21-0654824076-2271733286-061959106-4265
c:\recycler\S-1-5-21-1455334118-7554324804-828036648-8874
c:\recycler\S-1-5-21-2290957554-5505888447-933951797-3188
c:\recycler\S-1-5-21-2380437479-5536403761-104314317-2417
c:\recycler\S-1-5-21-2613669275-9719516027-093846808-3690
c:\recycler\S-1-5-21-2929841525-6134098029-813005384-3575
c:\recycler\S-1-5-21-3844252530-4614738533-477353064-6135
c:\recycler\S-1-5-21-4517616521-8748245048-747018591-5431
c:\recycler\S-1-5-21-5287203404-2150996276-361785036-2026
c:\recycler\S-1-5-21-5632783334-8520549607-717420526-9624
c:\recycler\S-1-5-21-7448197631-6742576296-211950483-1438
c:\recycler\S-1-5-21-8587057549-8691970124-785860918-1339
c:\recycler\S-1-5-21-9273069312-5560226816-759346965-4048
c:\recycler\S-1-5-21-9708960352-6255341383-697539535-9729
c:\recycler\S-1-5-21-9983706840-2963835987-531995240-8120
c:\windows\E88D4.exe
c:\windows\Fonts\FRE3OF9X.TTF
c:\windows\Fonts\FREE3OF9.TTF
c:\windows\las31l71.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmfqrnmsjp.sys
c:\windows\system32\drivers\kbiwkmjwrowkya.sys
c:\windows\system32\drivers\kbiwkmrqpyqydm.sys
c:\windows\system32\drivers\kbiwkmsdjnkvxf.sys
c:\windows\system32\drivers\kbiwkmspfthxwy.sys
c:\windows\system32\kbiwkmanmqiemu.dll
c:\windows\system32\kbiwkmavsvaewf.dat
c:\windows\system32\kbiwkmekqhrqcj.dll
c:\windows\system32\kbiwkmfuciorjq.dll
c:\windows\system32\kbiwkmfwbwuxxn.dat
c:\windows\system32\kbiwkmfypdivrx.dll
c:\windows\system32\kbiwkmibgimbjt.dat
c:\windows\system32\kbiwkmiqboieml.dll
c:\windows\system32\kbiwkmmemwmasu.dll
c:\windows\system32\kbiwkmnmxtynxn.dat
c:\windows\system32\kbiwkmnnxbqnen.dat
c:\windows\system32\kbiwkmnvsivtth.dll
c:\windows\system32\kbiwkmogytenin.dll
c:\windows\system32\kbiwkmoieewmxn.dat
c:\windows\system32\kbiwkmpfuyqrcj.dll
c:\windows\system32\kbiwkmqoodlalb.dat
c:\windows\system32\kbiwkmrersappp.dat
c:\windows\system32\kbiwkmrxripfya.dat
c:\windows\system32\kbiwkmspxcbfol.dll
c:\windows\system32\kbiwkmumuyxwbd.dll
c:\windows\system32\kbiwkmvcdivrcr.dll
c:\windows\system32\kbiwkmvmxnsmnt.dat
c:\windows\system32\kbiwkmvpucbvpf.dll
c:\windows\system32\kbiwkmvxsdkbxv.dll
c:\windows\system32\kbiwkmwqwevpsy.dll
c:\windows\system32\kbiwkmxsmkbmqr.dll
c:\windows\system32\kbiwkmyouevvky.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_kbiwkmpkbmwnli
-------\Service_kbiwkmpkbmwnli
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:49 . 2009-08-23 21:19 120 ----a-w- c:\windows\Snuhacokuvomuy.dat
2009-08-22 17:46 . 2009-08-27 18:53 0 ----a-w- c:\windows\system32\drivers\57852f5b.sys
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\program files\DU Meter
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-28 21:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 20:44 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-30 20:26 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 16:39 . 2009-03-12 20:45 100944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.
------- Sigcheck -------
[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-02 809864]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-22 2645528]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\mel.bat183242.bat
backup=c:\windows\pss\mel.bat183242.batStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [22/08/2009 18:21 1386008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S1 57852f5b;57852f5b;c:\windows\system32\drivers\57852f5b.sys [22/08/2009 18:46 0]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\temp downloaded stuff\SysProt\SysProt\SysProtDrv.sys [29/08/2009 18:54 44288]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASPI32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder
2009-08-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - avgrsstx.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 21:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\BGLsp.dll
- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-08-30 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 20:52
Pre-Run: 192,161,538,048 bytes free
Post-Run: 192,243,597,312 bytes free
317
Looking good :)
:thanks: Big thanks to Blade81 for the disable tip :thanks:
Now then, a quick question for you ...
Do you know what mel.bat183242.bat is ?
Looking good :)
:thanks: Big thanks to Blade81 for the disable tip :thanks:
Now then, a quick question for you ...
Do you know what mel.bat183242.bat is ?
i have no idea what mel.bat183242.bat is
We would like some of those files for analysis if you don't mind.
----------------------------------------------------------------------------------------
Step 1
Please Submit a file
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\Qoobox\Quarantine\c\windows\system32\drivers\*.*.*
C:\Qoobox\Quarantine\c\windows\system32\*.*.*
Please open LINK >>> THIS PAGE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) <<<LINK in a new window.
In the box marked Link to topic where this file was requested: please put this text
http://forums.spybot.info/showthread.php?p=332396#post332396
Click the Browse button and navigate to the cab file that was created on your desktop.
Select this file and click Open
In the Largest box please put
File Requested By Katana
BSOD files
Finally click SendFile
You can now delete SFP (exe and Zip) along with the .cab file that was created
----------------------------------------------------------------------------------------
Step 2
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showthread.php?p=332396#post332396
Suspect::[4]
c:\windows\Snuhacokuvomuy.dat
c:\windows\system32\drivers\57852f5b.sys
c:\windows\pss\mel.bat183242.batStartup
File::
c:\windows\Snuhacokuvomuy.dat
c:\windows\pss\mel.bat183242.batStartup
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^mel.bat183242.bat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
----------------------------------------------------------------------------------------
Step 3
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
Kaspersky Log
How are things running now ?
Files sent
combofix ran. kaspersky ran. no threats found. no log produced?
bullguard & malware bytes all come back clean
everything seems back to normal now, although there is a slight delay in loading certain websites (most load immediately, some take a little longer)
Combofix log
ComboFix 09-08-30.04 - Administrator 31/08/2009 10:59.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1509 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FILE ::
"c:\windows\pss\mel.bat183242.batStartup"
"c:\windows\Snuhacokuvomuy.dat"
file zipped: c:\windows\pss\mel.bat183242.batStartup
file zipped: c:\windows\Snuhacokuvomuy.dat
file zipped: c:\windows\system32\drivers\57852f5b.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\pss\mel.bat183242.batStartup
c:\windows\Snuhacokuvomuy.dat
.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:46 . 2009-08-27 18:53 0 ----a-w- c:\windows\system32\drivers\57852f5b.sys
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-22 17:21 . 2009-08-22 17:21 -------- d-----w- c:\program files\DU Meter
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-30 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 09:49 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-31 09:48 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-24 16:39 . 2009-03-12 20:45 100944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.
------- Sigcheck -------
[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2009-08-22 2645528]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [22/08/2009 18:21 1386008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S1 57852f5b;57852f5b;c:\windows\system32\drivers\57852f5b.sys [22/08/2009 18:46 0]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASPI32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder
2009-08-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 11:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\BGLsp.dll
.
Completion time: 2009-08-31 11:03
ComboFix-quarantined-files.txt 2009-08-31 10:02
ComboFix2.txt 2009-08-30 20:52
Pre-Run: 192,210,362,368 bytes free
Post-Run: 192,179,752,960 bytes free
229
Upload was successful
Thanks for that, it will help us counter this infection in the future.
Right, just a couple of leftovers now. I've left them till last as there have been problems removing them from some machines.
WARNING
You must Copy/Paste (to a notepad file) or Print the information under Step 2 BEFORE YOU DO ANYTHING
----------------------------------------------------------------------------------------
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\system32\drivers\57852f5b.sys
Driver::
57852f5b
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
If you are unable to access the internet after step #1, please do the following.
Double click on C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe
The do this.
Custom CFScript
[list]
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DeQuarantine::
C:\Qoobox\Quarantine\c\windows\system32\drivers\57852f5b.sys.vir
Quit::
Save this as CFScript.txt and place it on your desktop.
Ran combofix, no problems, internet works after step 1, so step 2 not done
combofix log
ComboFix 09-08-30.04 - Administrator 31/08/2009 14:55.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1393 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\57852f5b.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\57852f5b.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_57852f5b
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.
2009-08-31 12:50 . 2009-08-31 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Hagel Technologies
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\xircom
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\windows\system32\wbem\snmp
2009-08-30 20:49 . 2009-08-30 20:49 -------- d-----w- c:\program files\microsoft frontpage
2009-08-29 13:02 . 2009-08-29 13:03 -------- d-s---w- C:\CleanMe
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:11 . 2009-08-29 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:11 . 2009-08-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 21:11 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 11:36 . 2009-08-25 11:36 -------- d-----w- c:\program files\Trend Micro
2009-08-23 22:07 . 2009-08-23 22:07 -------- d-----w- c:\program files\CCleaner
2009-08-23 21:06 . 2009-08-27 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 16:22 . 2009-08-23 16:22 -------- d-----w- c:\program files\Microsoft Games
2009-08-23 15:57 . 2009-08-23 15:57 -------- d-----w- c:\program files\Your Company Name
2009-08-23 12:46 . 2009-08-23 12:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-22 19:27 . 2009-08-22 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\BullGuard
2009-08-22 19:27 . 2009-08-22 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\BullGuard
2009-08-22 18:34 . 2009-08-22 18:34 -------- d-----w- c:\program files\Alwil Software
2009-08-22 17:53 . 2009-08-22 17:53 -------- d-----w- c:\program files\AVG
2009-08-22 17:22 . 2009-08-22 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Hagel Technologies
2009-08-22 17:04 . 2009-08-22 17:04 -------- d-----w- c:\program files\KONAMI
2009-08-03 18:56 . 2009-08-03 18:58 -------- d-----w- c:\program files\Microsoft AutoRoute
2009-08-01 18:21 . 2009-08-30 20:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2009-08-01 15:47 . 2006-09-07 15:11 73728 ----a-w- c:\windows\system32\Sgdt32.dll
2009-08-01 15:47 . 2003-09-23 13:43 532480 ----a-w- c:\windows\system32\SdoEng100.dll
2009-08-01 15:47 . 2002-12-06 11:53 507904 ----a-w- c:\windows\system32\SdoEng90.dll
2009-08-01 15:47 . 2002-11-28 13:15 471040 ----a-w- c:\windows\system32\SdoEng80.dll
2009-08-01 15:47 . 2001-04-11 15:23 454656 ----a-w- c:\windows\system32\SdoEng70.dll
2009-08-01 15:47 . 2000-11-22 12:54 122880 ----a-w- c:\windows\system32\SGRegister.dll
2009-08-01 15:47 . 2004-08-24 11:43 1089536 ----a-w- c:\windows\system32\SdoEng110.dll
2009-08-01 15:47 . 2004-08-24 09:29 253952 ----a-w- c:\windows\system32\SDOApp.dll
2009-08-01 15:47 . 2002-12-06 11:16 86016 ----a-w- c:\windows\system32\Sgcom32.dll
2009-08-01 15:47 . 2001-03-12 11:18 227840 ----a-w- c:\windows\system32\Sdoeng.dll
2009-08-01 15:47 . 2005-08-23 11:30 2785280 ----a-w- c:\windows\system32\SdoEng120.dll
2009-08-01 15:47 . 2009-08-01 15:47 -------- d-----w- c:\program files\Clik
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 14:02 . 2009-03-07 18:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-08-31 13:31 . 2009-03-12 20:45 100160 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 13:26 . 2009-03-07 18:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-08-28 14:10 . 2009-03-17 18:39 -------- d-----w- c:\program files\jStock
2009-08-25 11:33 . 2009-03-13 07:53 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 16:39 . 2009-03-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 16:20 . 2009-03-12 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 18:12 . 2009-04-29 10:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2009-07-22 20:14 . 2009-04-15 17:43 -------- d-----w- c:\program files\EasyCert
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\program files\PDF Editor 2
2009-07-22 20:03 . 2009-07-22 20:03 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-07-22 20:00 . 2009-07-22 20:00 -------- d-----w- c:\program files\Ask.com
2009-06-21 16:44 . 2009-06-19 19:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-03 21:58 . 2009-06-03 21:58 61440 ----a-w- c:\windows\SSEUninstaller.exe
.
------- Sigcheck -------
[-] 2008-12-30 04:52 361600 5AE1C2695F6523AD98B948F2887D8C5E c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-30_20.50.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-31 14:01 . 2009-08-31 14:01 16384 c:\windows\temp\Perflib_Perfdata_634.dat
+ 2009-08-31 14:01 . 2009-08-31 14:01 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-12 21741864]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-08-23 304464]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:1260e6ed8901
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bgmainsvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^kill.bat]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\kill.bat
backup=c:\windows\pss\kill.batStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R2 bdfilespy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [14/03/2009 20:37 55504]
R2 bsfilescan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 bsfire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [10/11/2008 14:51 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [23/03/2009 13:07 257304]
S2 bsmailproxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [14/04/2008 11:00 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 bgrasvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\BGRaSvc.exe [01/06/2009 12:50 79184]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [14/03/2009 22:00 457856]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASPI32
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsFire
.
Contents of the 'Scheduled Tasks' folder
2009-08-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-02 18:50]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-DU Meter - c:\program files\DU Meter\DUMeter.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b1seu9e4.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 15:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1092)
c:\windows\system32\BGLsp.dll
- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-08-31 15:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 14:04
ComboFix2.txt 2009-08-31 10:03
ComboFix3.txt 2009-08-30 20:52
Pre-Run: 192,084,692,992 bytes free
Post-Run: 192,118,636,544 bytes free
243
Ran combofix, no problems, internet works after step 1
Excellent :)
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Your logs show that Beep.sys is missing, it's not an urgently needed file, but if you have the XP pro disc or access to another XP Pro machine you can replace it in System32 folder.
(just let me know if you need any help with that )
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Uninstall OTScanIt (OTS.exe)
Open OTScanIt Click Cleanup,
If a box pops up click YES.
You can also delete any other tools we used and any logs we have produced.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
i have removed programs/logs
all working fine now. i will keep a note of the programs you have suggested, and download some of them i dont already (now) have.
Thanks for all your help. just before i found this place, i was about to look for all the CD's to re-install windows. much easier now that i dont have to do that. Expect a donation later
If its all the same to you, id rather not have to come back here!
Forgot to say, you can now close this thread, i think were all done now