View Full Version : Google redirect
I ran many anti-malware programs but I just can't get this virus or w/e it is to stop redirecting my searches.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Divilov at 14:14:40.78 on Mon 08/02/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1266 [GMT -4:00]
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://search.live.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.sharewareisland.com
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.live.com/sphome.aspx
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Club Bing Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\club bing toolbar\Toolbar.dll
TB: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Google Update] "c:\documents and settings\divilov\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [sealmon.exe] c:\program files\oracle\information rights management\desktop\sealmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [KeyScrambler] c:\program files\keyscrambler\getting_started.html
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 212.95.49.50 www.google.com
Hosts: 212.95.49.50 us.search.yahoo.com
Hosts: 212.95.49.50 uk.search.yahoo.com
Hosts: 212.95.49.50 search.yahoo.com
Hosts: 212.95.49.50 www.google.com.br
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [2009-3-15 115936]
R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-4-26 75032]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-5-30 14616]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-29 136176]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\empowering technology\eacoustics\oddspeedctl\speedcontrol.exe [2005-2-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-2-13 8192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]
S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]
=============== Created Last 30 ================
2010-08-02 17:04:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-02 16:40:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-02 16:36:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-02 16:34:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-02 16:15:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 04:08:58 0 d-----w- c:\program files\JA2 Unfinished Business
2010-08-01 04:06:34 0 d-----w- c:\program files\Jagged Alliance 2 Gold
2010-07-31 20:43:31 0 d-----w- c:\program files\The Island Castaway Betatest
2010-07-31 17:32:50 0 d-----w- c:\program files\Black Isle
2010-07-24 20:43:38 0 d-----w- c:\docume~1\divilov\applic~1\Mumble
2010-07-24 20:39:50 0 d-----w- c:\program files\Mumble
2010-07-23 21:19:04 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-07-23 21:18:37 0 d-----w- c:\program files\Pando Networks
2010-07-19 15:27:44 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-19 15:26:24 0 d-----w- c:\windows\system32\DirectX
2010-07-19 14:54:25 0 d-----w- c:\windows\system32\DirectX(2)
2010-07-16 23:21:04 0 d-----w- c:\docume~1\divilov\applic~1\Darkfall
2010-07-16 22:32:22 0 d-----w- c:\docume~1\divilov\applic~1\Darkfall US
2010-07-13 22:03:21 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 16:23:33 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-13 16:23:33 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-13 16:23:32 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-13 16:23:31 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-13 16:23:30 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-13 16:23:29 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-13 16:23:28 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-13 16:23:22 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-07-04 04:56:23 0 d-----w- c:\program files\CoreAffinity
==================== Find3M ====================
2010-06-06 00:27:48 85176 -c-ha-w- c:\windows\system32\mlfcache.dat
============= FINISH: 14:15:14.93 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/27/2007 1:08:19 PM
System Uptime: 8/2/2010 1:37:12 PM (1 hours ago)
Motherboard: Acer | | F690GVM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2194/199mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 30.45 GiB free.
D: is FIXED (NTFS) - 76 GiB total, 71.609 GiB free.
E: is CDROM ()
F: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F13\3&61AAA01&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F13\3&61AAA01&0
Service: i8042prt
==== System Restore Points ===================
RP777: 7/19/2010 9:39:54 PM - Installed A.V.A
RP778: 7/19/2010 11:50:36 PM - Removed A.V.A
RP779: 7/19/2010 11:50:54 PM - Removed ijji REACTOR
RP780: 7/21/2010 12:49:25 AM - Removed Darkfall US
RP781: 7/23/2010 10:13:10 AM - System Checkpoint
RP782: 7/25/2010 10:02:29 AM - System Checkpoint
RP783: 7/26/2010 7:06:27 PM - System Checkpoint
RP784: 7/28/2010 1:55:06 PM - System Checkpoint
RP785: 7/29/2010 3:05:09 PM - System Checkpoint
RP786: 7/30/2010 5:44:50 PM - System Checkpoint
RP787: 7/31/2010 6:39:07 PM - System Checkpoint
==== Hosts File Hijack ======================
Hosts: 212.95.49.50 www.google.com
Hosts: 212.95.49.50 us.search.yahoo.com
Hosts: 212.95.49.50 uk.search.yahoo.com
Hosts: 212.95.49.50 search.yahoo.com
Hosts: 212.95.49.50 www.google.com.br
Hosts: 212.95.49.50 www.google.it
Hosts: 212.95.49.50 www.google.es
Hosts: 212.95.49.50 www.google.co.jp
Hosts: 212.95.49.50 www.google.com.mx
Hosts: 212.95.49.50 www.google.ca
Hosts: 212.95.49.50 www.google.com.au
Hosts: 212.95.49.50 www.google.nl
Hosts: 212.95.49.50 www.google.co.za
Hosts: 212.95.49.50 www.google.be
Hosts: 212.95.49.50 www.google.gr
Hosts: 212.95.49.50 www.google.at
Hosts: 212.95.49.50 www.google.se
Hosts: 212.95.49.50 www.google.ch
Hosts: 212.95.49.50 www.google.pt
Hosts: 212.95.49.50 www.google.dk
Hosts: 212.95.49.50 www.google.fi
Hosts: 212.95.49.50 www.google.ie
Hosts: 212.95.49.50 www.google.no
Hosts: 212.95.49.50 www.google.de
Hosts: 212.95.49.50 www.google.fr
Hosts: 212.95.49.50 www.google.co.uk
Hosts: 212.95.49.50 www.bing.com
==== Installed Programs ======================
µTorrent
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acer eAcoustics Management
Acer eDataSecurity Management
Acer eDataSecurity Management 2.0.4093
Acer Empowering Technology
Acer ePerformance Management
Acer eProtection
Acer eSettings Management
Acer LANScope Agent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player 11.5
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Audacity 1.2.6
AutoHotkey 1.0.47.06
Baldur's Gate
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner
Club Bing Toolbar
Club Bing Toolbar Helper
Defraggler
DNA
ESET Smart Security
Far Cry (Patch 1.4)
ffdshow [rev 3026] [2009-07-05]
Foxit Reader
Fraps (remove only)
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HuxleyTheDystopia
iTunes
JA2 Unfinished Business
Jagged Alliance 2 Gold
Jagged Alliance 2 v1.13 (EN) [1.0.0.2085]
Java Auto Updater
Java(TM) 6 Update 20
Jitbit Macro Recorder
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile Beta 2
Microsoft .NET Framework 4 Extended Beta 2
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Games for Windows - LIVE Redistributable
Microsoft IntelliPoint 7.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Mumble and Murmur
NVIDIA Drivers
NVIDIA PhysX
OCA Client history tool install
OGA Notifier 2.0.0048.0
OpenAL
Oracle IRM Desktop 5.5.19 10gR3 PR5
Pando Media Booster
PayPal Plug-In
pdfsam
Prince of Persia T2T
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
Recuva
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB913433)
Skype 4.1
Sony Vegas Pro 8.0
Speccy
Spelling Dictionaries Support For Adobe Reader 8
SPSS Statistics 17.0
SWF & FLV Player 3.0 (build 3.0.33.5106)
System Requirements Lab
Trillian
Tweak UI
Twitter FriendAdder
Unlocker 1.8.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Ventrilo Client
VentriloMIX
Veoh Web Player
VobSub v2.23 (Remove Only)
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
==== End Of File ===========================
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
The scan went uninterrupted and I saved the file, but afterward I tried to open chrome and I got the blue screen of death and it autorestarted the computer for me. But now I can open chrome without the blue screen coming up.
Here is the log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-03 14:55:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Divilov\LOCALS~1\Temp\kgndqkow.sys
---- System - GMER 1.0.15 ----
SSDT spvh.sys ZwCreateKey [0xF72940E0]
SSDT spvh.sys ZwEnumerateKey [0xF72ACDA4]
SSDT spvh.sys ZwEnumerateValueKey [0xF72AD132]
SSDT spvh.sys ZwOpenKey [0xF72940C0]
SSDT spvh.sys ZwQueryKey [0xF72AD20A]
SSDT spvh.sys ZwQueryValueKey [0xF72AD08A]
SSDT spvh.sys ZwSetValueKey [0xF72AD29C]
INT 0x73 ? 8A52CBF8
INT 0x73 ? 8A52CBF8
INT 0x83 ? 8A695BF8
INT 0xA4 ? 8A52CBF8
INT 0xB4 ? 8A52CBF8
---- Kernel code sections - GMER 1.0.15 ----
? spvh.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF48B0360, 0x3D46A5, 0xE8000020]
.text USBPORT.SYS!DllUnload F48278AC 3 Bytes JMP 8A52C1D8
.text USBPORT.SYS!DllUnload + 4 F48278B0 1 Byte [95]
.text ahmt0wxs.SYS F47AE386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ahmt0wxs.SYS F47AE3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ahmt0wxs.SYS F47AE3C4 3 Bytes [00, 80, 02]
.text ahmt0wxs.SYS F47AE3C9 1 Byte [30]
.text ahmt0wxs.SYS F47AE3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB7F0C300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF7877300, 0x1BEE, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00D56E80 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00D58E40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D55640 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 00D56FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D59040 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00D58A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00D57B70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 00D58D20 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 00D5A750 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00D586B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 00D587C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00D585C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 00D588A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D59560 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00D57900 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 00D57830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 00D575A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 00D57270 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 00D57EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00D57BF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 00D57AF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 00D57520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00D584D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00D576F0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D5A150 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D59AA0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D59CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 00D57CE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 00D57DE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 00D58080 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00D581C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00D579D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!UnlockFile 7C8322EC 1 Byte [E9]
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 00D57FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!LockFile 7C832391 5 Bytes JMP 00D57F60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00D58830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 00D58300 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!_llseek 7C835436 5 Bytes JMP 00D58440 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00D5A3C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetShortPathNameA 7C835BE0 5 Bytes JMP 00D58910 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D59EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!ReplaceFile 7C836C6C 5 Bytes JMP 00D5A650 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!_hwrite 7C838B17 5 Bytes JMP 00D583A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00D56240 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00D55CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 00D56070 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00D55E70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00D557A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00D55980 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!CopyEnhMetaFileW 77F270CC 5 Bytes JMP 00D56C70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!CopyMetaFileW 77F2C3ED 5 Bytes JMP 00D56A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!CopyMetaFileA 77F2C52B 5 Bytes JMP 00D56630 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!GetMetaFileW 77F3853D 5 Bytes JMP 00D56840 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!GetEnhMetaFileW 77F397A3 5 Bytes JMP 00D56950 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!GetMetaFileA 77F44216 5 Bytes JMP 00D56410 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00D5D190 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!StartDocA 77F45E79 5 Bytes JMP 00D5C1E0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] GDI32.dll!GetEnhMetaFileA 77F4AE35 5 Bytes JMP 00D56520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00D561B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00D55B60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00D55C50 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!PrintWindow 7E423810 5 Bytes JMP 00D56340 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00D55BD0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[228] ole32.dll!DoDragDrop 775D0B6D 5 Bytes JMP 00D58F40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00E66E80 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00E68E40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E65640 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 00E66FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E69040 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00E68A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00E67B70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 00E68D20 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 00E6A750 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00E686B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 00E687C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00E685C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 00E688A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E69560 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00E67900 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 00E67830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 00E675A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 00E67270 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 00E67EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00E67BF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 00E67AF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 00E67520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00E684D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00E676F0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00E6A150 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00E69AA0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00E69CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 00E67CE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 00E67DE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 00E68080 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00E681C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00E679D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!UnlockFile 7C8322EC 1 Byte [E9]
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 00E67FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!LockFile 7C832391 5 Bytes JMP 00E67F60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00E68830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 00E68300 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!_llseek 7C835436 5 Bytes JMP 00E68440 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00E6A3C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!GetShortPathNameA 7C835BE0 5 Bytes JMP 00E68910 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00E69EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!ReplaceFile 7C836C6C 5 Bytes JMP 00E6A650 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] kernel32.dll!_hwrite 7C838B17 5 Bytes JMP 00E683A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00E66240 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00E65CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 00E66070 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00E65E70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00E657A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00E65980 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!CopyEnhMetaFileW 77F270CC 5 Bytes JMP 00E66C70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!CopyMetaFileW 77F2C3ED 5 Bytes JMP 00E66A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!CopyMetaFileA 77F2C52B 5 Bytes JMP 00E66630 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!GetMetaFileW 77F3853D 5 Bytes JMP 00E66840 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!GetEnhMetaFileW 77F397A3 5 Bytes JMP 00E66950 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!GetMetaFileA 77F44216 5 Bytes JMP 00E66410 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00E6D190 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!StartDocA 77F45E79 5 Bytes JMP 00E6C1E0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] GDI32.dll!GetEnhMetaFileA 77F4AE35 5 Bytes JMP 00E66520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00E661B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00E65B60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00E65C50 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] USER32.dll!PrintWindow 7E423810 5 Bytes JMP 00E66340 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00E65BD0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe[1312] ole32.dll!DoDragDrop 775D0B6D 5 Bytes JMP 00E68F40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.DLL (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7295042] spvh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F729513E] spvh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72950C0] spvh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7295800] spvh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72956D6] spvh.sys
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ahmt0wxs.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72A4B90] spvh.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A6941F8
AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0xF7 0x75 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x7E 0xC8 0x41 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA5 0x5E 0x27 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8B 0x7D 0x57 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0xBC 0x6F 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x6F 0xAB 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC4 0xD1 0x7E 0x98 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0xBC 0x6F 0x9B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x6F 0xAB 0x8A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC4 0xD1 0x7E 0x98 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0xF7 0x75 0x0D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x7E 0xC8 0x41 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA5 0x5E 0x27 0xBF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8B 0x7D 0x57 0x87 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5663503-9D03-23C7-888C-4F5B40DB9B9C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5663503-9D03-23C7-888C-4F5B40DB9B9C}@nadhlmepnhbppidomdeaonnlpjod 0x69 0x61 0x63 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5663503-9D03-23C7-888C-4F5B40DB9B9C}@mafgbnjpkpaglfngnfcijbgjmk 0x69 0x61 0x63 0x6B ...
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
µTorrent
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1 Download HostsXpert
Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Open HostsXpert that you earlier unzipped on your Desktop.
Click "Make Hosts Writable?" upper right corner (if available)
Click "Restore Microsoft's Original Hosts File" and then click OK
Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually
Step # 2: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
The problem got solved with step #1 but here is the log of combofix anyway:
ComboFix 10-08-03.04 - Divilov 08/04/2010 11:43:03.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1535 [GMT -4:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Divilov\GoToAssistDownloadHelper.exe
c:\windows\01a5b801-10aa-4023-998d-a31986c9a740.ocx
c:\windows\system32\43f1c37a-c8ee-40c4-ae97-245883ef2153.dll
c:\windows\system32\ddfger.dll
c:\windows\system32\system
c:\windows\system32\system\AL2.ini
c:\windows\system32\system\eula-e.dat
c:\windows\system32\system\L2.exe
c:\windows\system32\system\servername-e.dat
c:\windows\wpe pro.INI
D:\install.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.
2010-08-02 17:04 . 2010-08-02 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-02 16:40 . 2010-08-02 16:40 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-02 16:36 . 2010-08-02 16:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-02 16:34 . 2010-08-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-02 16:15 . 2010-08-02 16:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 04:08 . 2010-08-01 04:09 -------- d-----w- c:\program files\JA2 Unfinished Business
2010-08-01 04:06 . 2010-08-01 04:12 -------- d-----w- c:\program files\Jagged Alliance 2 Gold
2010-07-31 20:43 . 2010-07-31 20:43 -------- d-----w- c:\program files\The Island Castaway Betatest
2010-07-31 17:32 . 2010-07-31 17:32 -------- d-----w- c:\program files\Black Isle
2010-07-29 18:18 . 2010-07-29 18:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-29 18:13 . 2010-07-29 18:13 -------- d-----w- c:\program files\Google
2010-07-24 20:43 . 2010-07-24 20:43 -------- d-----w- c:\documents and settings\Divilov\Application Data\Mumble
2010-07-24 20:39 . 2010-07-24 20:39 -------- d-----w- c:\program files\Mumble
2010-07-23 21:19 . 2010-07-26 19:11 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\PMB Files
2010-07-23 21:19 . 2010-07-26 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-07-23 21:18 . 2010-07-23 21:18 -------- d-----w- c:\program files\Pando Networks
2010-07-19 15:38 . 2010-07-29 18:13 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\Temp
2010-07-19 15:27 . 2010-07-19 15:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-19 15:26 . 2010-07-19 15:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-19 14:54 . 2010-07-19 15:26 -------- d-----w- c:\windows\system32\DirectX(2)
2010-07-16 23:21 . 2010-07-16 23:21 -------- d-----w- c:\documents and settings\Divilov\Application Data\Darkfall
2010-07-16 22:32 . 2010-07-21 04:49 -------- d-----w- c:\documents and settings\Divilov\Application Data\Darkfall US
2010-07-13 22:03 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 16:23 . 2010-07-13 16:23 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\Funcom
2010-07-13 16:23 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-13 16:23 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-13 16:23 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-13 16:23 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 17:35 . 2008-10-25 12:38 -------- d-----w- c:\program files\VentriloMIX
2010-07-31 21:37 . 2008-05-24 05:15 -------- d-----w- c:\program files\JDown
2010-07-24 15:51 . 2010-03-25 23:29 -------- d-----w- c:\program files\FOnline
2010-07-20 03:50 . 2007-07-21 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-19 15:43 . 2008-02-26 02:32 -------- d-----w- c:\program files\CCleaner
2010-07-17 23:29 . 2009-11-14 23:13 -------- d-----w- c:\program files\VideoLAN
2010-07-17 23:12 . 2008-07-18 03:21 96 -c-ha-w- c:\windows\system32\HsInfo.dat
2010-07-17 02:26 . 2010-07-17 02:25 2855 ----a-w- c:\windows\PIF\SETUP.PIF
2010-07-16 22:00 . 2009-06-14 16:50 -------- d-----w- c:\documents and settings\Divilov\Application Data\uTorrent
2010-07-14 02:37 . 2007-07-21 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 23:30 . 2008-04-04 13:01 -------- d-----w- c:\documents and settings\Divilov\Application Data\Media Player Classic
2010-07-04 04:57 . 2010-07-04 04:56 -------- d-----w- c:\program files\CoreAffinity
2010-06-30 01:34 . 2010-06-30 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SEGA Corporation
2010-06-17 23:24 . 2010-06-17 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2010-06-14 14:31 . 2008-08-31 11:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 02:40 . 2010-06-14 02:40 -------- d-----w- c:\program files\Audacity
2010-06-14 02:38 . 2010-06-14 02:38 -------- d-----w- c:\documents and settings\Divilov\Application Data\DVDVideoSoftIEHelpers
2010-06-14 02:34 . 2008-07-27 11:50 -------- d-----w- c:\program files\Youtube Converter
2010-06-06 02:32 . 2010-06-06 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Tages
2010-06-06 00:27 . 2008-02-04 21:24 85176 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-25 22:59 . 2010-05-25 22:59 503808 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\msvcp71.dll
2010-05-25 22:59 . 2010-05-25 22:59 499712 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\jmc.dll
2010-05-25 22:59 . 2010-05-25 22:59 348160 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\msvcr71.dll
2010-05-25 22:59 . 2010-05-25 22:59 61440 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1feb7a76-n\decora-sse.dll
2010-05-25 22:59 . 2010-05-25 22:59 12800 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1feb7a76-n\decora-d3d.dll
2010-05-23 21:50 . 2010-06-02 22:08 73216 ----a-w- c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-12 12:59 . 2010-05-12 12:59 503808 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\msvcp71.dll
2010-05-12 12:59 . 2010-05-12 12:59 499712 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\jmc.dll
2010-05-12 12:59 . 2010-05-12 12:59 348160 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\msvcr71.dll
2010-05-12 12:59 . 2010-05-12 12:59 61440 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25f083fb-n\decora-sse.dll
2010-05-12 12:59 . 2010-05-12 12:59 12800 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25f083fb-n\decora-d3d.dll
2010-05-09 21:13 . 2010-05-09 21:13 46 ----a-w- c:\windows\system32\DonationCoder_processtamer_InstallInfo.dat
2010-05-09 21:13 . 2010-05-09 21:13 46 ----a-w- c:\documents and settings\Divilov\Local Settings\Application Data\DonationCoder_processtamer_InstallInfo.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-19 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"sealmon.exe"="c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2010-01-14 370992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"56143:TCP"= 56143:TCP:Pando Media Booster
"56143:UDP"= 56143:UDP:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [3/15/2009 11:58 PM 115936]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [10/7/2009 3:44 AM 129856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 2:13 PM 136176]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2/15/2005 12:02 PM 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2/13/2009 10:40 AM 8192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [10/7/2009 3:44 AM 752984]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/2/2008 3:39 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 15:38]
2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 15:38]
2010-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1269103037-3874296902-2670244853-1008Core.job
- c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-19 15:38]
2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1269103037-3874296902-2670244853-1008UA.job
- c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-19 15:38]
2009-12-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 18:51]
2010-08-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.sharewareisland.com
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 11:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5663503-9D03-23C7-888C-4F5B40DB9B9C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"nadhlmepnhbppidomdeaonnlpjod"=hex:69,61,63,6b,6a,69,68,65,63,6e,64,61,6b,68,
6a,6e,6d,6d,00,00
"mafgbnjpkpaglfngnfcijbgjmk"=hex:69,61,63,6b,6a,69,68,65,63,6e,64,61,6b,68,6a,
6e,6d,6d,00,00
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:5c,23,f6,67,87,30,bb,67,25,58,e6,50,61,b9,28,0b,9a,1b,24,37,b0,
6e,25,8e,dc,c6,00,fa,4b,37,44,7a,8d,3b,c1,ac,99,96,1a,46,e9,7d,c2,dd,4c,c0,\
"rkeysecu"=hex:79,e5,4b,c5,45,32,8f,b7,72,da,4e,9f,92,33,4e,b7
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1096)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-04 11:48:00
ComboFix-quarantined-files.txt 2010-08-04 15:47
Pre-Run: 31,996,473,344 bytes free
Post-Run: 32,211,333,120 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 918F19538E8BF5BDEB6ADB4581CD95FD
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Driver::
XDva349
File::
c:\windows\system32\XDva349.sys
Folder::
c:\Program Files\uTorrent
c:\Program Files\DNA
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
RegNull::
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A5663503-9D03-23C7-888C-4F5B40DB9B9C}*]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on jonpatt's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
ComboFix 10-08-04.05 - Divilov 08/05/2010 9:25.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1559 [GMT -4:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Divilov\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FILE ::
"c:\windows\system32\XDva349.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\DNA
c:\program files\DNA\13666-dna.023f.dmp
c:\program files\DNA\13666-dna.0300.dmp
c:\program files\DNA\13666-dna.050a.dmp
c:\program files\DNA\13666-dna.14b5.dmp
c:\program files\DNA\13666-dna.15d9.dmp
c:\program files\DNA\13666-dna.189d.dmp
c:\program files\DNA\13666-dna.24d0.dmp
c:\program files\DNA\13666-dna.25f6.dmp
c:\program files\DNA\13666-dna.2880.dmp
c:\program files\DNA\13666-dna.2d93.dmp
c:\program files\DNA\13666-dna.3417.dmp
c:\program files\DNA\13666-dna.355e.dmp
c:\program files\DNA\13666-dna.36e4.dmp
c:\program files\DNA\13666-dna.3764.dmp
c:\program files\DNA\13666-dna.3b0c.dmp
c:\program files\DNA\13666-dna.429b.dmp
c:\program files\DNA\13666-dna.4bb7.dmp
c:\program files\DNA\13666-dna.50c8.dmp
c:\program files\DNA\13666-dna.5463.dmp
c:\program files\DNA\13666-dna.5a2b.dmp
c:\program files\DNA\13666-dna.5a77.dmp
c:\program files\DNA\13666-dna.6618.dmp
c:\program files\DNA\13666-dna.665d.dmp
c:\program files\DNA\13666-dna.6729.dmp
c:\program files\DNA\13666-dna.75d8.dmp
c:\program files\DNA\13666-dna.87e2.dmp
c:\program files\DNA\13666-dna.8d05.dmp
c:\program files\DNA\13666-dna.9aed.dmp
c:\program files\DNA\13666-dna.a19a.dmp
c:\program files\DNA\13666-dna.a5ad.dmp
c:\program files\DNA\13666-dna.ba66.dmp
c:\program files\DNA\13666-dna.bc3a.dmp
c:\program files\DNA\13666-dna.d190.dmp
c:\program files\DNA\13666-dna.d56e.dmp
c:\program files\DNA\13666-dna.d638.dmp
c:\program files\DNA\13666-dna.d6f8.dmp
c:\program files\DNA\13666-dna.d8d9.dmp
c:\program files\DNA\13666-dna.e043.dmp
c:\program files\DNA\13666-dna.e2c0.dmp
c:\program files\DNA\13666-dna.e3bc.dmp
c:\program files\DNA\13666-dna.ea66.dmp
c:\program files\DNA\13666-dna.f347.dmp
c:\program files\DNA\13666-dna.f4f5.dmp
c:\program files\DNA\13666-dna.feb9.dmp
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XDVA349
-------\Service_XDva349
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.
2010-08-05 02:44 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-08-05 02:44 . 2001-08-18 02:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-08-05 02:00 . 2010-08-05 02:12 -------- d-----w- c:\documents and settings\Divilov\.shsh
2010-08-04 19:05 . 2010-08-04 19:05 -------- d-----w- c:\program files\iPod
2010-08-04 19:05 . 2010-08-04 19:06 -------- d-----w- c:\program files\iTunes
2010-08-04 19:05 . 2010-08-04 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-04 19:01 . 2010-08-04 19:01 -------- d-----w- c:\program files\QuickTime
2010-08-04 18:57 . 2010-08-04 18:57 -------- d-----w- c:\program files\Bonjour
2010-08-02 17:04 . 2010-08-02 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-02 16:40 . 2010-08-02 16:40 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-02 16:36 . 2010-08-02 16:43 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-02 16:34 . 2010-08-02 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-02 16:15 . 2010-08-02 16:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 04:08 . 2010-08-01 04:09 -------- d-----w- c:\program files\JA2 Unfinished Business
2010-08-01 04:06 . 2010-08-01 04:12 -------- d-----w- c:\program files\Jagged Alliance 2 Gold
2010-07-31 20:43 . 2010-07-31 20:43 -------- d-----w- c:\program files\The Island Castaway Betatest
2010-07-31 17:32 . 2010-07-31 17:32 -------- d-----w- c:\program files\Black Isle
2010-07-29 18:18 . 2010-07-29 18:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-29 18:13 . 2010-07-29 18:13 -------- d-----w- c:\program files\Google
2010-07-24 20:43 . 2010-07-24 20:43 -------- d-----w- c:\documents and settings\Divilov\Application Data\Mumble
2010-07-24 20:39 . 2010-07-24 20:39 -------- d-----w- c:\program files\Mumble
2010-07-23 21:19 . 2010-07-26 19:11 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\PMB Files
2010-07-23 21:19 . 2010-07-26 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-07-23 21:18 . 2010-07-23 21:18 -------- d-----w- c:\program files\Pando Networks
2010-07-19 15:38 . 2010-07-29 18:13 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\Temp
2010-07-19 15:27 . 2010-07-19 15:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-19 15:26 . 2010-07-19 15:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-19 14:54 . 2010-07-19 15:26 -------- d-----w- c:\windows\system32\DirectX(2)
2010-07-16 23:21 . 2010-07-16 23:21 -------- d-----w- c:\documents and settings\Divilov\Application Data\Darkfall
2010-07-16 22:32 . 2010-07-21 04:49 -------- d-----w- c:\documents and settings\Divilov\Application Data\Darkfall US
2010-07-13 22:03 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 16:23 . 2010-07-13 16:23 -------- d-----w- c:\documents and settings\Divilov\Local Settings\Application Data\Funcom
2010-07-13 16:23 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-13 16:23 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-13 16:23 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-13 16:23 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-13 16:23 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 19:05 . 2009-07-10 18:04 -------- d-----w- c:\program files\Common Files\Apple
2010-08-04 18:50 . 2010-08-04 18:50 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-02 17:35 . 2008-10-25 12:38 -------- d-----w- c:\program files\VentriloMIX
2010-07-31 21:37 . 2008-05-24 05:15 -------- d-----w- c:\program files\JDown
2010-07-24 15:51 . 2010-03-25 23:29 -------- d-----w- c:\program files\FOnline
2010-07-20 03:50 . 2007-07-21 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-19 15:43 . 2008-02-26 02:32 -------- d-----w- c:\program files\CCleaner
2010-07-17 23:29 . 2009-11-14 23:13 -------- d-----w- c:\program files\VideoLAN
2010-07-17 23:12 . 2008-07-18 03:21 96 -c-ha-w- c:\windows\system32\HsInfo.dat
2010-07-17 02:26 . 2010-07-17 02:25 2855 ----a-w- c:\windows\PIF\SETUP.PIF
2010-07-16 22:00 . 2009-06-14 16:50 -------- d-----w- c:\documents and settings\Divilov\Application Data\uTorrent
2010-07-14 02:37 . 2007-07-21 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-12 23:30 . 2008-04-04 13:01 -------- d-----w- c:\documents and settings\Divilov\Application Data\Media Player Classic
2010-07-04 04:57 . 2010-07-04 04:56 -------- d-----w- c:\program files\CoreAffinity
2010-06-30 01:34 . 2010-06-30 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SEGA Corporation
2010-06-17 23:24 . 2010-06-17 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2010-06-14 14:31 . 2008-08-31 11:56 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 02:40 . 2010-06-14 02:40 -------- d-----w- c:\program files\Audacity
2010-06-14 02:38 . 2010-06-14 02:38 -------- d-----w- c:\documents and settings\Divilov\Application Data\DVDVideoSoftIEHelpers
2010-06-14 02:34 . 2008-07-27 11:50 -------- d-----w- c:\program files\Youtube Converter
2010-06-06 00:27 . 2008-02-04 21:24 85176 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-25 22:59 . 2010-05-25 22:59 503808 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\msvcp71.dll
2010-05-25 22:59 . 2010-05-25 22:59 499712 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\jmc.dll
2010-05-25 22:59 . 2010-05-25 22:59 348160 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5558c648-n\msvcr71.dll
2010-05-25 22:59 . 2010-05-25 22:59 61440 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1feb7a76-n\decora-sse.dll
2010-05-25 22:59 . 2010-05-25 22:59 12800 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1feb7a76-n\decora-d3d.dll
2010-05-23 21:50 . 2010-06-02 22:08 73216 ----a-w- c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-12 12:59 . 2010-05-12 12:59 503808 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\msvcp71.dll
2010-05-12 12:59 . 2010-05-12 12:59 499712 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\jmc.dll
2010-05-12 12:59 . 2010-05-12 12:59 348160 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-283e5039-n\msvcr71.dll
2010-05-12 12:59 . 2010-05-12 12:59 61440 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25f083fb-n\decora-sse.dll
2010-05-12 12:59 . 2010-05-12 12:59 12800 ----a-w- c:\documents and settings\Divilov\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25f083fb-n\decora-d3d.dll
2010-05-09 21:13 . 2010-05-09 21:13 46 ----a-w- c:\windows\system32\DonationCoder_processtamer_InstallInfo.dat
2010-05-09 21:13 . 2010-05-09 21:13 46 ----a-w- c:\documents and settings\Divilov\Local Settings\Application Data\DonationCoder_processtamer_InstallInfo.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-19 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 16860672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"sealmon.exe"="c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2010-01-14 370992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"56143:TCP"= 56143:TCP:Pando Media Booster
"56143:UDP"= 56143:UDP:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [3/15/2009 11:58 PM 115936]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/21/2007 8:21 AM 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe [10/7/2009 3:44 AM 129856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2010 2:13 PM 136176]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2/15/2005 12:02 PM 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2/13/2009 10:40 AM 8192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe [10/7/2009 3:44 AM 752984]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/2/2008 3:39 PM 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 15:38]
2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-29 15:38]
2010-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1269103037-3874296902-2670244853-1008Core.job
- c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-19 15:38]
2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1269103037-3874296902-2670244853-1008UA.job
- c:\documents and settings\Divilov\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-19 15:38]
2009-12-13 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 18:51]
2010-08-05 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.sharewareisland.com
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>;*.local
uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 09:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:5c,23,f6,67,87,30,bb,67,25,58,e6,50,61,b9,28,0b,9a,1b,24,37,b0,
6e,25,8e,dc,c6,00,fa,4b,37,44,7a,8d,3b,c1,ac,99,96,1a,46,e9,7d,c2,dd,4c,c0,\
"rkeysecu"=hex:79,e5,4b,c5,45,32,8f,b7,72,da,4e,9f,92,33,4e,b7
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1092)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\acer\LANScope Agent\LockKM.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-05 09:37:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-05 13:37
ComboFix2.txt 2010-08-04 15:48
Pre-Run: 32,427,917,312 bytes free
Post-Run: 32,303,448,064 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B91C391DED81CAE8674EE8CD87C0F8EC
DDS (Ver_10-03-17.01) - NTFSx86
Run by Divilov at 10:01:36.09 on Thu 08/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1387 [GMT -4:00]
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Acer\LANScope Agent\LockKM.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Divilov\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.sharewareisland.com
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>;*.local
uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Club Bing Toolbar: {719d74ab-1af9-43a1-8c62-d8750628d93e} - c:\program files\club bing toolbar\Toolbar.dll
TB: Club Bing Toolbar Helper: {b771fea3-2a05-4c21-b1e2-55551a97d520} - c:\program files\club bing toolbar helper\Bmbho.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Google Update] "c:\documents and settings\divilov\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [sealmon.exe] c:\program files\oracle\information rights management\desktop\sealmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [KeyScrambler] c:\program files\keyscrambler\getting_started.html
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
============= SERVICES / DRIVERS ===============
R1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [2009-3-15 115936]
R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-4-26 75032]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-5-30 14616]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-29 136176]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\empowering technology\eacoustics\oddspeedctl\speedcontrol.exe [2005-2-15 81920]
S3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-2-13 8192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]
=============== Created Last 30 ================
2010-08-05 13:19:31 176 ----a-w- c:\documents and settings\divilov\defogger_reenable
2010-08-05 02:44:46 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-08-05 02:44:46 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-08-05 02:00:21 0 d-----w- c:\documents and settings\divilov\.shsh
2010-08-04 19:05:37 0 d-----w- c:\program files\iPod
2010-08-04 19:05:29 0 d-----w- c:\program files\iTunes
2010-08-04 19:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-04 18:57:06 0 d-----w- c:\program files\Bonjour
2010-08-04 15:40:08 98816 ----a-w- c:\windows\sed.exe
2010-08-04 15:40:08 77312 ----a-w- c:\windows\MBR.exe
2010-08-04 15:40:08 256512 ----a-w- c:\windows\PEV.exe
2010-08-04 15:40:08 161792 ----a-w- c:\windows\SWREG.exe
2010-08-02 17:04:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-02 16:40:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-02 16:36:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-02 16:34:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-02 16:15:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 04:08:58 0 d-----w- c:\program files\JA2 Unfinished Business
2010-08-01 04:06:34 0 d-----w- c:\program files\Jagged Alliance 2 Gold
2010-07-31 20:43:31 0 d-----w- c:\program files\The Island Castaway Betatest
2010-07-31 17:32:50 0 d-----w- c:\program files\Black Isle
2010-07-24 20:43:38 0 d-----w- c:\docume~1\divilov\applic~1\Mumble
2010-07-24 20:39:50 0 d-----w- c:\program files\Mumble
2010-07-23 21:19:04 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-07-23 21:18:37 0 d-----w- c:\program files\Pando Networks
2010-07-19 15:27:44 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-19 15:26:24 0 d-----w- c:\windows\system32\DirectX
2010-07-19 14:54:25 0 d-----w- c:\windows\system32\DirectX(2)
2010-07-16 23:21:04 0 d-----w- c:\docume~1\divilov\applic~1\Darkfall
2010-07-16 22:32:22 0 d-----w- c:\docume~1\divilov\applic~1\Darkfall US
2010-07-13 22:03:21 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 16:23:33 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-07-13 16:23:33 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-07-13 16:23:32 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-07-13 16:23:31 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-07-13 16:23:30 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-07-13 16:23:29 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-07-13 16:23:28 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-07-13 16:23:22 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
==================== Find3M ====================
2010-06-06 00:27:48 85176 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
============= FINISH: 10:01:51.48 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/27/2007 1:08:19 PM
System Uptime: 8/5/2010 9:30:12 AM (1 hours ago)
Motherboard: Acer | | F690GVM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2194/199mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 71 GiB total, 30.11 GiB free.
D: is FIXED (NTFS) - 76 GiB total, 71.609 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F13\3&61AAA01&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F13\3&61AAA01&0
Service: i8042prt
==== System Restore Points ===================
RP777: 7/19/2010 9:39:54 PM - Installed A.V.A
RP778: 7/19/2010 11:50:36 PM - Removed A.V.A
RP779: 7/19/2010 11:50:54 PM - Removed ijji REACTOR
RP780: 7/21/2010 12:49:25 AM - Removed Darkfall US
RP781: 7/23/2010 10:13:10 AM - System Checkpoint
RP782: 7/25/2010 10:02:29 AM - System Checkpoint
RP783: 7/26/2010 7:06:27 PM - System Checkpoint
RP784: 7/28/2010 1:55:06 PM - System Checkpoint
RP785: 7/29/2010 3:05:09 PM - System Checkpoint
RP786: 7/30/2010 5:44:50 PM - System Checkpoint
RP787: 7/31/2010 6:39:07 PM - System Checkpoint
RP788: 8/2/2010 10:55:56 PM - System Checkpoint
RP789: 8/3/2010 3:57:43 PM - Software Distribution Service 3.0
RP790: 8/4/2010 7:22:04 PM - System Checkpoint
==== Installed Programs ======================
2007 Microsoft Office Suite Service Pack 2 (SP2)
Acer eAcoustics Management
Acer eDataSecurity Management
Acer eDataSecurity Management 2.0.4093
Acer Empowering Technology
Acer ePerformance Management
Acer eProtection
Acer eSettings Management
Acer LANScope Agent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player 11.5
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Audacity 1.2.6
AutoHotkey 1.0.47.06
Baldur's Gate
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner
Club Bing Toolbar
Club Bing Toolbar Helper
Defraggler
ESET Smart Security
Far Cry (Patch 1.4)
ffdshow [rev 3026] [2009-07-05]
Foxit Reader
Fraps (remove only)
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HuxleyTheDystopia
iTunes
JA2 Unfinished Business
Jagged Alliance 2 Gold
Jagged Alliance 2 v1.13 (EN) [1.0.0.2085]
Java Auto Updater
Java(TM) 6 Update 20
Jitbit Macro Recorder
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile Beta 2
Microsoft .NET Framework 4 Extended Beta 2
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Games for Windows - LIVE Redistributable
Microsoft IntelliPoint 7.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Mumble and Murmur
NVIDIA Drivers
NVIDIA PhysX
OCA Client history tool install
OGA Notifier 2.0.0048.0
OpenAL
Oracle IRM Desktop 5.5.19 10gR3 PR5
Pando Media Booster
PayPal Plug-In
pdfsam
Prince of Persia T2T
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
Recuva
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB913433)
Skype 4.1
Sony Vegas Pro 8.0
Speccy
Spelling Dictionaries Support For Adobe Reader 8
SPSS Statistics 17.0
SWF & FLV Player 3.0 (build 3.0.33.5106)
System Requirements Lab
Trillian
Tweak UI
Twitter FriendAdder
Unlocker 1.8.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Ventrilo Client
VentriloMIX
Veoh Web Player
VobSub v2.23 (Remove Only)
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall
==== End Of File ===========================
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u21 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java(TM) 6 Update 20
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
Post the MalwareBytes' Log in your next post/reply.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4395
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
8/5/2010 3:07:36 PM
mbam-log-2010-08-05 (15-07-36).txt
Scan type: Quick scan
Objects scanned: 156738
Time elapsed: 6 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.4.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.3.3 is a large program and if you prefer a smaller program you can get Foxit 4.0.0 instead from http://www.foxitsoftware.com/downloads/index.php
If you decide to install Foxit 4.1.0 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay[/b].
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
I am never asked to install any application on Kaspersky and therefore can't run this step in either chrome or IE. But the problem has been fixed so thank you for everything.
Good to hear that the problem has been fixed.
I'd still like for you one to run an online scanner to make sure we didn't miss anything. Since Kaspersky isn't working for you, try this:
I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
I actually already have ESET Smart Security on my computer which is my anti-virus/mal/etc.
I actually already have ESET Smart Security on my computer which is my anti-virus/mal/etc.
Ok, go ahead and scan you computer with ESET Smart Security and let me know if it finds anything.
Scan Log
Version of virus signature database: 5348 (20100806)
Date: 8/7/2010 Time: 11:12:22 AM
Scanned disks, folders and files: C:\;D:\
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\wialog.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\All Users\Application Data\NortonInstaller\Settings\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}.7z » 7ZIP » - error reading archive
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry1.zip » ZIP » kr_done1 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt2.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt3.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt3.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt4.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt4.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt5.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IRCcrt5.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsAppFirewallBypass1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass2.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass3.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass3.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallOverride.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallOverride.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallOverride1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallOverride1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC10.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC10.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC11.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC11.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC12.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC12.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC13.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC13.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC14.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC14.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC15.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC15.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC16.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC16.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC17.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC17.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC18.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC18.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC19.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC19.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC2.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC20.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC20.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC21.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC21.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC22.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC22.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC23.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC23.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC3.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC3.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC4.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC4.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC5.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC5.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC6.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC6.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC7.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC7.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC8.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC8.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC9.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TinyBarC9.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip » ZIP » lnopgtwa.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip » ZIP » cavrdolz.job - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde12.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde12.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde13.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde13.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde14.zip » ZIP » sYJklnnn.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde14.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde15.zip » ZIP » sYJklnnn.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde15.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip » ZIP » sYJklnnn.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip » ZIP » sYJklnnn.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde18.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde18.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde19.zip » ZIP » sYJklnnn.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde19.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip » ZIP » cLkjkUtv.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde20.zip » ZIP » sYJklnnn.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde20.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde21.zip » ZIP » winvsnet.tmp - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde21.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde22.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde22.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde23.zip » ZIP » utoveton.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde23.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip » ZIP » lVwaccdd.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip » ZIP » sYJklnnn.ini2 - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip » ZIP » sYJklnnn.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip » ZIP » txsttvha.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip » ZIP » opnhotum.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde7.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde8.zip » ZIP » geytlvgc.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde8.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip » ZIP » hwxfsqjs.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx1.zip » ZIP » ahvttsxt.dll - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx2.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx2.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx3.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx3.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx4.zip » ZIP » larihisu.dll - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx4.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx5.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx5.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx6.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx6.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx7.zip » ZIP » notevotu.dll - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx7.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx8.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx8.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip » ZIP » sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWinlagonsco.zip » ZIP » uniq.tll - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinWinlagonsco.zip » ZIP » sbRecovery.ini - error - password-protected file
C:\Documents and Settings\Divilov\ntuser.dat - error opening [4]
C:\Documents and Settings\Divilov\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_12\Data1.cab » CAB » core.zip » ZIP » lib/deploy/ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_12\Data1.cab » CAB » core.zip » ZIP » lib/deploy/jqs/ff/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_12\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_12\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_12\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_21\Data1.cab » CAB » core.zip » ZIP » lib/deploy/ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_21\Data1.cab » CAB » core.zip » ZIP » lib/deploy/jqs/ff/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_21\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_21\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Sun\Java\jre1.6.0_21\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Thunderbird\Profiles\ct2st898.default\Mail\Local Folders\Drafts » MBOX - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Thunderbird\Profiles\ct2st898.default\Mail\Local Folders\Inbox » MBOX - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Thunderbird\Profiles\ct2st898.default\Mail\Local Folders\Sent » MBOX - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Application Data\Thunderbird\Profiles\ct2st898.default\Mail\Local Folders\Trash » MBOX - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\Local Settings\Application Data\Google\Chrome\User Data\Default\Current Session - error opening [4]
C:\Documents and Settings\Divilov\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db - error opening [4]
C:\Documents and Settings\Divilov\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow - error opening [4]
C:\Documents and Settings\Divilov\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\Divilov\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\Documents and Settings\Divilov\My Documents\DP\1800.zip » ZIP » 1800articles/1800 plr articles/25Golden-Retriever.zip » ZIP » Golden-Retriever/Common-Health-Problems.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\My Documents\DP\1800.zip » ZIP » 1800articles/1800 plr articles/25High-Definition-Video-Cameras.zip » ZIP » High Definition Video Cameras/Controls-And-Features.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\My Documents\DP\1800.zip » ZIP » 1800articles/1800 plr articles/75Marketing.zip » ZIP » 25-BONUS-ARTICLES/25 _articles_marketing/BW-Free-website-traffic-tactics.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\My Documents\DP\share\cam.zip » ZIP » com/mindprod/common11/common11.use » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\Divilov\My Documents\DP\share\cam.zip » ZIP » com/mindprod/common11/version.txt » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening [4]
C:\Downloads\Die_By_The_Sword__ISO_.part1.rar » RAR » - next archive volume not found
C:\Downloads\i_h4V3_NO_M0UTh_4nD_1_MU5T_scR34M_5pAzZER.part1.rar » RAR » i h4V3 NO M0UTh 4nD 1 MU5T scR34M_5pAzZER\I Have No Mouth and I Must Scream\NoMouth.iso - Incorrect file checksum (CRC); the file is probably password protected.
C:\Downloads\i_h4V3_NO_M0UTh_4nD_1_MU5T_scR34M_5pAzZER.part1.rar » RAR » - next archive volume not found
C:\i386\COMPDATA\MSMQCOMP.TXT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » PROCESS_LIBRARY.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION_CUSTOMIZED.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » TRACK_ISSUES.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » POLICIES.FDT » MIME - is OK (internal scanning not performed)
C:\Program Files\Audacity\audacity-1.2-help.htb » ZIP » audacity.hhp » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.A1FFBB52_4F2E_44F1_8614_5D66C2EF43F0 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.03A77D79_488A_445D_B528_0E0089E3FCB3 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.D495C848_F235_46BF_A9A0_77D7C2120E3B » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.445237FC_7259_4EAD_ACEF_7ED7A95D32D7 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.79A89863_540B_470E_9C71_D57F22BFA44D » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.5ACB9F6A_C06C_4121_B854_7133C2ED29A8 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.15989D71_6BEB_424A_88DF_78A882081F91 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.1C571119_9D2B_4542_84BD_0CD3AA24E739 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.C4EB4D09_95BA_4DC2_9551_B6E637DA2230 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.C39C5B26_ED03_4B04_9CFD_166FDC7523D1 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.C05C46CB_E961_4BBA_86BE_4FE1A4426A32 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.87E45AFF_C0E7_4B6E_8E37_52EEB71BF5B7 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.E34CAC5A_4546_4E3A_BFFA_CE28E0CED140 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.14AFC4D4_5454_4AD5_B7FC_10D4FAB85CF3 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.B4924446_617C_4229_8C33_089CD780544D » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.F02247A4_BA3B_4A1D_B7EA_2CB2F17490B7 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.0F75E4D6_4C58_47F6_B626_BA408BA6F03B » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.B3E4ACDE_961E_474B_87CC_22A67A5E77CB » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.D8256176_51D5_41D4_B965_C7B0BC9E4A27 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht.D073AD43_9C5B_4759_A404_ED1717BEEAD7 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » Getting_Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Wise Installation Wizard\WIS1C4551A64743409391E41477CD655043_9_09_0203.MSI » MSI » Cabs.w1.cab » CAB » AGEIA_PhysX_Help.mht.A7B7CAD6_34A6_11DC_8587_001422537A6B » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Wise Installation Wizard\WIS6833245EDD86479A882A8360D62C8194_9_09_0720.MSI » MSI » Cabs.w1.cab » CAB » AGEIA_PhysX_Help.mht.A7B7CAD6_34A6_11DC_8587_001422537A6B » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Wise Installation Wizard\WISB83FC356B7C0441F8A4DD71E088E7974_9_09_0428.MSI » MSI » Cabs.w1.cab » CAB » AGEIA_PhysX_Help.mht.A7B7CAD6_34A6_11DC_8587_001422537A6B » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_0814.MSI » MSI » Cabs.w1.cab » CAB » AGEIA_PhysX_Help.mht.A7B7CAD6_34A6_11DC_8587_001422537A6B » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\JDown\tools\flashgot.xpi » ZIP » chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Malwarebytes' Anti-Malware\license.txt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Sony\Vegas Pro 8.0\Sony Vegas Pro 8 -- ShuttlePRO v2.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Sony\Vegas Pro 8.0\Sony Vegas Pro 8 -- ShuttlePRO.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Sony\Vegas Pro 8.0\Sony Vegas Pro 8 -- ShuttleXpress.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\visualization.jar » ZIP » gpl/3DScatter.gpl » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\visualization.jar » ZIP » gpl/BarChartUsingMean.gpl » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\visualization.jar » ZIP » gpl/PercentagePie.gpl » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\visualization.jar » ZIP » gpl/USStateChoroplethMap.gpl » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\JRE\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » msvcr80.dll.8.0.50727.762.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » msvcp80.dll.8.0.50727.762.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » msvcm80.dll.8.0.50727.762.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » ul_msvcp80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » ul_msvcm80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » nosxs_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » nosxs_msvcp80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\SPSSInc\Statistics17\VC8\vcredist.msi » MSI » _14241_Microsoft_VC80_CRT_x86.msm » CAB » nosxs_msvcm80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E - archive damaged - the file could not be extracted.
C:\Program Files\WPE\WPE PRO.exe - Win32/Sniffer.WpePro.A trojan - cleaned by deleting - quarantined [1]
C:\Program Files\WPE\WpeSpy.dll - Win32/Sniffer.WpePro.B trojan - cleaned by deleting - quarantined [1]
C:\Program Files\Xvid\VobSub\uninstall.exe » NSIS - bad archive
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP787\A0235743.exe » NSIS » License.txt » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP787\A0235744.exe » INNO » - unsupported option
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP791\A0238985.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP795\A0239544.exe - Win32/Sniffer.WpePro.A trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{F7F29E9F-2EB1-4A86-8A7A-E232D0A343E6}\RP795\A0239545.dll - Win32/Sniffer.WpePro.B trojan - cleaned by deleting - quarantined [1]
C:\WINDOWS\Downloaded Installations\{215346A4-41DD-44E6-A5FF-165D475F7436}\veoh.msi » MSI » Data1.cab » CAB » _9AA31A0D2E2B44E18EBA4B70083F2C6C » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\$PatchCache$\Managed\26DDC2EC4210AC63483DF9D4FCC5B59D\3.5.30729\Chrome_manifest.3643236F_FC70_11D3_A536_0090278A1BB8 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\WINDOWS\system32\config\default - error opening [4]
C:\WINDOWS\system32\config\default.LOG - error opening [4]
C:\WINDOWS\system32\config\SAM - error opening [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening [4]
C:\WINDOWS\system32\config\SECURITY - error opening [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening [4]
C:\WINDOWS\system32\config\software - error opening [4]
C:\WINDOWS\system32\config\software.LOG - error opening [4]
C:\WINDOWS\system32\config\system - error opening [4]
C:\WINDOWS\system32\config\system.LOG - error opening [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening [4]
D:\MATLAB\help\toolbox\gauges\gauges.map » MIME - is OK (internal scanning not performed)
D:\MATLAB\help\toolbox\slcontrol\slcontrol.map » MIME - is OK (internal scanning not performed)
D:\MATLAB\toolbox\imaq\imaqadaptors\kit\doc\imaqadaptor.chm » CHM - error reading archive
D:\MATLAB\toolbox\webserver\wsdemos\thtmlrep2.html » MIME - is OK (internal scanning not performed)
Number of scanned objects: 652893
Number of threats found: 4
Number of cleaned objects: 4
Time of completion: 12:15:59 PM Total scanning time: 3817 sec (01:03:37)
Notes:
[1] Object has been deleted as it only contained the virus body.
[4] Object cannot be opened. It may be in use by another application or operating system.
The ESET scan found and removed some infected System Restore points. They are harmless where they are. In this post, I'll show how to remove any remaining infected System Restore points and setup a new, clean one.
If there are no more problems, then you're good to go. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Thanks for everything! :)))))
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.