Still hijacking after using restore point

C

cobo76

New member
I got infected couple of days ago. Quickly tried to scan and repair by Malwarebyte's. Although it showed all fixed but Firefox till got hijacked and programmes couldn't update themselves. I used system restore to restore the pc for earlier time. It worked in some way as I could update programmes but firefox still gets hijacked from google search links. Attached: present Hijack log and Malwarebyte's log before I restored the pc:
---------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:06, on 05/04/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
D:\Peter\Trojaiellenes\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6792 bytes
-----------------------------------------------------------------
-------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3954

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

04/04/2010 21:20:36
mbam-log-2010-04-04 (21-20-36).txt

Scan type: Quick scan
Objects scanned: 103488
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63147e94-70d9-468c-bbb5-5ac2f7d6929f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63147e94-70d9-468c-bbb5-5ac2f7d6929f}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0b04f4f-a430-4282-a50a-5fd9a25a3d36}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.99,93.188.161.133 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Zsolt\AppData\Local\Temp\PrintBrmUia.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\000039e6.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\System32\spool\prtprocs\w32x86\00007ac9.tmp (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Zsolt\Local Settings\Temporary Internet Files\udRemove.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------
---------------------------------------------------------------------

Thanks for your help,cobo
 
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • If you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Thanks peku006
 
Thanks for helping Peku006. Here are the requested logs:

OTL logfile created on: 07/04/2010 10:37:33 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = D:\Peter\Trojaiellenes
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 59.57 Gb Total Space | 41.90 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 168.32 Gb Total Space | 75.63 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 132.61 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC
Current User Name: Zsolt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - D:\Peter\Trojaiellenes\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe (Adobe Systems Incorporated)
PRC - c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe (Hewlett-Packard Development Co. L.P.)
PRC - C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)


========== Modules (SafeList) ==========

MOD - D:\Peter\Trojaiellenes\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (McAfee SiteAdvisor Service) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)


========== Driver Services (SafeList) ==========

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (FETNDIS) -- C:\Windows\System32\drivers\fetnd6.sys (VIA Technologies, Inc. )
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\Windows\System32\drivers\RTKVAC.SYS (Realtek Semiconductor Corp.)
DRV - (hwdatacard) -- C:\Windows\System32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (W8100PCI) -- C:\Windows\System32\drivers\mrv8k51.sys (Marvell Semiconductor, Inc)
DRV - (nvmpu401) Service for NVIDIA(R) nForce(TM) -- C:\Windows\System32\drivers\nvmpu401.sys (NVIDIA Corporation)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.2
FF - prefs.js..extensions.enabledItems: ramback@pavlov.net:1.0
FF - prefs.js..extensions.enabledItems: silvermelxt@pardal.de:1.3.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: {069FB356-C69F-7349-D092-AB28AF882F01}:0.2.104


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 20:23:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/03/01 20:07:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/07 00:20:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 00:20:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/07 00:20:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/12/12 19:51:47 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Extensions
[2009/12/12 19:51:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/04/06 20:46:20 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions
[2010/02/14 00:15:53 | 000,000,000 | ---D | M] (Phoenity Classic) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{069FB356-C69F-7349-D092-AB28AF882F01}
[2009/10/26 14:02:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/17 19:46:20 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/11/03 21:12:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/03/18 19:19:24 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\personas@christopher.beard
[2009/10/26 14:02:27 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\ramback@pavlov.net
[2009/11/03 14:51:39 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\silvermelxt@pardal.de
[2010/02/17 20:29:45 | 000,000,000 | ---D | M] -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com
[2010/04/01 16:40:16 | 000,002,141 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\bing---images.xml
[2010/04/01 16:40:17 | 000,002,216 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\flickr.xml
[2008/11/25 16:07:42 | 000,002,088 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\hmv-search.xml
[2008/06/21 10:35:50 | 000,000,908 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\imdb.xml
[2010/04/01 16:40:17 | 000,002,005 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\longman.xml
[2010/04/01 16:40:17 | 000,001,617 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\magyar-helyesrs.xml
[2010/04/01 16:40:15 | 000,002,641 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\pic-search.xml
[2010/04/01 16:40:16 | 000,002,119 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\porthu.xml
[2010/04/01 16:40:17 | 000,002,307 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\rotten-tomatoes.xml
[2008/08/10 18:32:28 | 000,001,541 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\sztaki-eng-dict.xml
[2008/05/23 15:43:28 | 000,001,110 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\the-pirate-bay.xml
[2010/04/01 16:40:17 | 000,000,967 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\torrentz.xml
[2008/11/11 00:38:26 | 000,001,332 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\wikipedia---magyar.xml
[2008/06/21 10:35:50 | 000,001,108 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\wikipedia-en.xml
[2010/04/01 16:40:17 | 000,002,087 | ---- | M] () -- C:\Users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\searchplugins\youtube---videos.xml
[2010/02/17 21:10:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/06 20:36:06 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/06 20:36:06 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/06 20:36:06 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/06 20:36:06 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001..\Run: [ISUSPM] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-261453740-1934816615-1763482817-1001\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{396de571-0449-11df-a7e0-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{396de571-0449-11df-a7e0-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{396de573-0449-11df-a7e0-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{396de573-0449-11df-a7e0-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{8968d1c0-166c-11df-8026-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{8968d1c0-166c-11df-8026-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{8968d1c2-166c-11df-8026-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{8968d1c2-166c-11df-8026-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{f4545633-ff9b-11de-8c51-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{f4545633-ff9b-11de-8c51-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O33 - MountPoints2\{f4545639-ff9b-11de-8c51-0015f2781340}\Shell - "" = AutoRun
O33 - MountPoints2\{f4545639-ff9b-11de-8c51-0015f2781340}\Shell\AutoRun\command - "" = G:\StartVMCLite.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/07 00:24:07 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Apple Computer
[2010/04/07 00:23:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/07 00:19:31 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/07 00:17:55 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/04/07 00:17:50 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Apple
[2010/04/06 22:01:53 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Local\Adobe
[2010/04/05 23:19:44 | 000,000,000 | ---D | C] -- C:\rsit
[2010/04/05 22:10:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/05 21:06:46 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/04/05 21:06:46 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/04/05 21:06:46 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/04/05 20:55:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/05 20:55:34 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/05 15:03:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/04 21:50:23 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/04/04 21:03:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/04 18:32:58 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Roaming\Malwarebytes
[2010/04/04 18:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 18:32:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/03 21:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/04/03 19:41:00 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/04/02 21:22:58 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/04/02 21:14:46 | 000,000,000 | ---D | C] -- C:\Users\Zsolt\AppData\Roaming\BitTorrent
[2010/04/01 20:50:13 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2010/04/01 20:50:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/01 20:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/04/01 18:56:40 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts

========== Files - Modified Within 30 Days ==========

[2010/04/07 10:43:10 | 001,835,008 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat
[2010/04/07 10:36:17 | 000,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 10:36:17 | 000,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 10:36:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
[2010/04/07 10:33:26 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/07 10:33:26 | 000,619,206 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/07 10:33:26 | 000,107,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/07 10:30:03 | 000,014,332 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/04/07 10:28:46 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 10:28:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 10:28:27 | 1610,260,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 01:43:41 | 001,891,888 | -H-- | M] () -- C:\Users\Zsolt\AppData\Local\IconCache.db
[2010/04/07 00:23:54 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/07 00:20:14 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/05 22:11:02 | 000,239,338 | ---- | M] () -- C:\Users\Public\Documents\cc_20100405_221051.reg
[2010/04/05 22:10:09 | 000,001,831 | ---- | M] () -- C:\Users\Zsolt\Desktop\CCleaner.lnk
[2010/04/05 21:02:18 | 000,524,288 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000002.regtrans-ms
[2010/04/05 21:02:18 | 000,524,288 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000001.regtrans-ms
[2010/04/05 21:02:18 | 000,065,536 | -HS- | M] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TM.blf
[2010/04/05 20:33:29 | 000,000,803 | ---- | M] () -- C:\Users\Public\Desktop\Opera.lnk
[2010/04/05 20:30:01 | 000,002,245 | ---- | M] () -- C:\Users\Zsolt\Desktop\Google Chrome.lnk
[2010/04/05 20:18:35 | 000,108,352 | ---- | M] () -- C:\Users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/04 18:01:05 | 000,000,036 | ---- | M] () -- C:\Users\Zsolt\AppData\Local\housecall.guid.cache
[2010/04/01 20:24:17 | 000,011,159 | ---- | M] () -- C:\Users\Public\Documents\newTVandSurround.xlsx
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/18 14:36:00 | 000,000,854 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
[2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/03/11 18:59:34 | 011,698,379 | ---- | M] () -- C:\Users\Public\Documents\samsung le40b650.pdf
[2010/03/11 02:09:59 | 000,393,543 | ---- | M] () -- C:\Users\Public\Documents\bookmarks.html

========== Files Created - No Company Name ==========

[2010/04/07 00:23:54 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/07 00:20:14 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/05 22:10:59 | 000,239,338 | ---- | C] () -- C:\Users\Public\Documents\cc_20100405_221051.reg
[2010/04/05 22:10:09 | 000,001,831 | ---- | C] () -- C:\Users\Zsolt\Desktop\CCleaner.lnk
[2010/04/05 20:18:03 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000002.regtrans-ms
[2010/04/05 20:18:03 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TMContainer00000000000000000001.regtrans-ms
[2010/04/05 20:18:02 | 000,065,536 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat{68d223d7-4094-11df-87b3-0015f2781340}.TM.blf
[2010/04/04 18:01:05 | 000,000,036 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\housecall.guid.cache
[2010/03/17 21:57:06 | 000,011,159 | ---- | C] () -- C:\Users\Public\Documents\newTVandSurround.xlsx
[2010/03/11 18:59:34 | 011,698,379 | ---- | C] () -- C:\Users\Public\Documents\samsung le40b650.pdf
[2010/03/11 02:09:59 | 000,393,543 | ---- | C] () -- C:\Users\Public\Documents\bookmarks.html
[2009/11/25 20:03:51 | 000,002,242 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/11/04 19:46:50 | 000,006,656 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/26 20:17:53 | 000,007,611 | ---- | C] () -- C:\Users\Zsolt\AppData\Local\Resmon.ResmonCfg
[2009/10/25 23:40:25 | 001,835,008 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat
[2009/10/25 23:40:25 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/10/25 23:40:25 | 000,524,288 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/10/25 23:40:25 | 000,262,144 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat.LOG1
[2009/10/25 23:40:25 | 000,065,536 | -HS- | C] () -- C:\Users\Zsolt\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/10/25 23:40:25 | 000,000,020 | -HS- | C] () -- C:\Users\Zsolt\ntuser.ini
[2009/10/25 23:40:25 | 000,000,000 | -HS- | C] () -- C:\Users\Zsolt\ntuser.dat.LOG2
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/04/14 08:43:32 | 000,154,144 | ---- | C] () -- C:\Windows\System32\RTLCPAPI.dll
[2004/08/13 10:56:20 | 000,005,810 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
< End of report >

********************************************************

OTL Extras logfile created on: 07/04/2010 10:37:33 - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = D:\Peter\Trojaiellenes
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 59.57 Gb Total Space | 41.90 Gb Free Space | 70.32% Space Free | Partition Type: NTFS
Drive D: | 168.32 Gb Total Space | 75.63 Gb Free Space | 44.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.09 Gb Total Space | 132.61 Gb Free Space | 44.49% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC
Current User Name: Zsolt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A}" = Opera 10.51
"{07B739FD-DD3E-5060-6DF2-1D0A6448C192}" = Catalyst Control Center Graphics Full Existing
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{101C938A-B723-97FB-A065-EDFD782E5978}" = Catalyst Control Center Graphics Light
"{17016DA1-F040-4032-BD36-34DD317BC9D5}" = HP Photosmart All-In-One Driver Software 13.0 Rel. A
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2A7EF808-14F3-4E93-BE3A-1675EE5332A4}" = AIO_CDA_ProductContext
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{36787A11-7848-3C1C-17E3-667A9FFB0E9C}" = Catalyst Control Center Core Implementation
"{3C92B2E6-380D-4fef-B4DF-4A3B4B669771}" = Copy
"{4037A2B9-A976-4538-8B08-A0D95B637F35}" = C5100
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{49FA793C-785E-47E9-93DF-BD442B0B45D1}" = McAfee Virtual Technician
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4DFAEE3E-3489-5236-9028-1A5B9B359CD0}" = Catalyst Control Center Graphics Full New
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5FE82A80-8985-082F-9B61-7EEDB1FCB461}" = ccc-core-static
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78610B4D-3157-9EA6-905E-64F144EC1E30}" = Catalyst Control Center Graphics Previews Common
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{96FF1134-84D4-8E51-0C1D-1798C6EED45E}" = Catalyst Control Center Graphics Previews Vista
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{99D3379A-4741-FC40-5E63-E47DD31560D2}" = CCC Help English
"{9B362566-EC1B-4700-BB9C-EC661BDE2175}" = DocProc
"{A0F66FCA-8206-9034-9B67-D1F50DA2DDAC}" = Catalyst Control Center HydraVision Full
"{A5436728-2DFD-4221-B4D7-F49F740134C9}" = c5100_Help
"{A548C254-03BB-22F8-1064-899487B3CF85}" = Catalyst Control Center InstallProxy
"{A7AEE29F-839E-46B5-B347-6D430618129F}" = AIO_CDA_Software
"{AB06254A-9A28-F8AD-236E-FB5C3108FE85}" = ATI Catalyst Install Manager
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{D86B0E2E-DF9A-441C-AF77-8D1A0FF00FA6}" = AIO_Scan
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F6124436-F906-7B89-7009-50BB8CD7CA93}" = ccc-utility
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"CCleaner" = CCleaner
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HPOCR" = OCR Software by I.R.I.S. 13.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"MSC" = McAfee SecurityCenter
"Shop for HP Supplies" = Shop for HP Supplies
"The KMPlayer" = The KMPlayer (remove only)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-261453740-1934816615-1763482817-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Analog Clock" = Analog Clock
"Calendar Clock" = Calendar Clock
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/04/2010 15:18:11 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:21:12 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:21:13 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:23:10 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:23:10 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:23:45 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:23:45 | Computer Name = PC | Source = McLogEvent | ID = 5022
Description = MCSCAN32 Engine Initialisation failed. Engine returned error : 7

Error - 05/04/2010 15:28:10 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =

Error - 05/04/2010 16:13:03 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =

Error - 05/04/2010 16:13:27 | Computer Name = PC | Source = Windows Backup | ID = 4103
Description =

[ Media Center Events ]
Error - 20/01/2010 04:27:24 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 08:27:16 - Error connecting to the internet. 08:27:16 - Unable
to contact server..

Error - 23/01/2010 11:02:20 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 15:02:19 - Error connecting to the internet. 15:02:19 - Unable
to contact server..

Error - 23/01/2010 11:02:28 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 15:02:25 - Error connecting to the internet. 15:02:25 - Unable
to contact server..

Error - 23/01/2010 15:55:04 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 19:55:02 - Failed to retrieve Broadband (Error: The remote name could
not be resolved: 'data.tvdownload.microsoft.com')

Error - 24/01/2010 06:57:42 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:57:42 - Error connecting to the internet. 10:57:42 - Unable
to contact server..

Error - 24/01/2010 06:57:52 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:57:47 - Error connecting to the internet. 10:57:47 - Unable
to contact server..

Error - 30/01/2010 06:11:13 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:11:13 - Error connecting to the internet. 10:11:13 - Unable
to contact server..

Error - 30/01/2010 06:11:22 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 10:11:18 - Error connecting to the internet. 10:11:18 - Unable
to contact server..

Error - 30/01/2010 08:01:13 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 12:01:13 - Error connecting to the internet. 12:01:13 - Unable
to contact server..

Error - 30/01/2010 08:01:21 | Computer Name = PC | Source = MCUpdate | ID = 0
Description = 12:01:18 - Error connecting to the internet. 12:01:18 - Unable
to contact server..

[ System Events ]
Error - 05/04/2010 17:09:16 | Computer Name = PC | Source = DCOM | ID = 10005
Description =

Error - 05/04/2010 17:09:16 | Computer Name = PC | Source = DCOM | ID = 10005
Description =

Error - 05/04/2010 17:16:45 | Computer Name = PC | Source = Service Control Manager | ID = 7023
Description = The iPod Service service terminated with the following error: %%-2147417831

Error - 05/04/2010 17:17:13 | Computer Name = PC | Source = DCOM | ID = 10010
Description =

Error - 06/04/2010 18:32:46 | Computer Name = PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 06/04/2010 19:00:27 | Computer Name = PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the lmhosts service.

Error - 06/04/2010 19:16:55 | Computer Name = PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 06/04/2010 19:17:26 | Computer Name = PC | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 06/04/2010 19:18:26 | Computer Name = PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Apple Mobile Device service,
but this action failed with the following error: %%1056

Error - 06/04/2010 20:44:21 | Computer Name = PC | Source = DCOM | ID = 10010
Description =


< End of report >
 
Hi cobo

1 - Download and Run ComboFix

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)


Thanks peku006
 
Thanks for the reply.

Strange thing happened, when I came home from work and switched on the computer, after the Win 7 welcome message there was only a black screen and a cursor and nothing else. I could retrieve the Windows Task Manager and figured out that the explorer.exe wasn't running at all and couldn't get it run (no access). I managed to open firefox, download combofix and run it, which helped a lot, at one point it even displayed that 'System file infected: explorer.exe' and managed to reinstate it. So Windows 7 and the desktop is back after running combofix but strangely the google redirections (and slower net sometimes) still exist.

Here is the combofix log:

ComboFix 10-04-06.05 - Zsolt 07/04/2010 22:55:01.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2048.1380 [GMT 1:00]
Running from: c:\users\Zsolt\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.bing.com
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 22:01 . 2010-04-07 22:04 -------- d-----w- c:\users\Zsolt\AppData\Local\temp
2010-04-07 22:01 . 2010-04-07 22:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-07 09:38 . 2009-10-31 06:00 2614272 ----a-w- c:\windows\explorer.exe
2010-04-06 23:24 . 2010-04-06 23:24 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple Computer
2010-04-06 23:23 . 2010-04-06 23:23 -------- d-----w- c:\program files\iPod
2010-04-06 23:19 . 2010-04-06 23:20 -------- d-----w- c:\program files\QuickTime
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\program files\Apple Software Update
2010-04-06 23:17 . 2010-04-06 23:17 -------- d-----w- c:\users\Zsolt\AppData\Local\Apple
2010-04-06 21:01 . 2010-04-07 09:32 -------- d-----w- c:\users\Zsolt\AppData\Local\Adobe
2010-04-05 22:19 . 2010-04-05 22:19 -------- d-----w- C:\rsit
2010-04-05 21:10 . 2010-04-05 21:10 -------- d-----w- c:\program files\CCleaner
2010-04-05 20:06 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-05 19:55 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 19:55 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 14:03 . 2010-04-05 14:03 -------- d-----w- c:\program files\ESET
2010-04-04 20:03 . 2010-04-04 20:03 -------- d-----w- c:\program files\Trend Micro
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Malwarebytes
2010-04-04 17:32 . 2010-04-05 19:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 17:32 . 2010-04-04 17:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-03 20:52 . 2010-04-05 18:16 -------- d-----w- c:\program files\Unlocker
2010-04-03 18:41 . 2010-04-03 18:41 -------- d-----w- c:\windows\Sun
2010-04-02 20:22 . 2010-04-05 18:16 -------- d-----w- c:\program files\7-Zip
2010-04-02 20:14 . 2010-04-05 18:16 -------- d-----w- c:\users\Zsolt\AppData\Roaming\BitTorrent
2010-04-01 19:50 . 2010-04-05 18:16 -------- d-----w- c:\program files\Adobe Media Player
2010-04-01 19:50 . 2010-04-01 19:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-01 19:46 . 2010-04-01 19:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-04-01 17:56 . 2010-04-01 17:57 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-26 00:48 . 2010-03-26 00:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 22:04 . 2009-12-03 21:16 117760 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 23:23 . 2010-02-12 16:43 -------- d-----w- c:\program files\iTunes
2010-04-06 23:23 . 2009-10-26 16:36 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 23:16 . 2009-10-26 16:37 -------- d-----w- c:\program files\Bonjour
2010-04-05 21:16 . 2010-02-13 09:58 -------- d-----w- c:\program files\McAfee
2010-04-05 20:48 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-05 20:22 . 2009-10-26 14:20 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-05 20:04 . 2009-12-03 21:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-05 19:33 . 2010-03-03 20:01 -------- d-----w- c:\program files\Opera
2010-04-05 19:18 . 2009-10-25 23:23 108352 ----a-w- c:\users\Zsolt\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-05 18:16 . 2009-10-26 14:20 -------- d-----w- c:\users\Zsolt\AppData\Roaming\Thunderbird
2010-04-05 18:16 . 2010-02-13 10:08 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-05 18:16 . 2009-10-27 20:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-05 18:16 . 2009-11-17 21:24 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-04-05 18:15 . 2009-10-26 16:38 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-08 20:06 . 2009-12-02 20:44 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HpUpdate
2010-03-02 18:46 . 2010-03-02 18:46 -------- d-----w- c:\users\Zsolt\AppData\Roaming\HPAppData
2010-03-01 21:35 . 2010-03-01 19:07 23112 ----a-w- c:\windows\hpqins15.dat
2010-02-24 09:16 . 2009-10-25 22:45 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 20:10 . 2010-02-17 20:10 -------- d-----w- c:\program files\Common Files\Java
2010-02-17 20:10 . 2010-02-17 20:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-17 20:10 . 2010-02-17 20:10 -------- d-----w- c:\program files\Java
2010-02-13 11:07 . 2009-10-26 15:11 -------- d-----w- c:\programdata\Microsoft Help
2010-02-13 11:02 . 2010-02-13 11:02 -------- d-----w- c:\program files\Microsoft.NET
2010-02-13 10:10 . 2010-02-13 09:58 -------- d-----w- c:\programdata\McAfee
2010-02-13 10:08 . 2010-02-13 10:08 -------- d-----w- c:\program files\McAfee.com
2010-02-13 09:59 . 2010-02-13 09:59 -------- d-----w- c:\users\Zsolt\AppData\Roaming\McAfee
2010-02-13 09:00 . 2010-02-13 09:00 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-12 18:52 . 2010-02-12 18:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-12 17:19 . 2009-12-18 09:10 52224 ----a-w- c:\users\Zsolt\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 14:55 . 2010-02-17 19:29 12800 ----a-w- c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
2010-02-02 21:27 . 2010-01-19 20:31 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-02-02 21:10 . 2010-01-19 20:31 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-02-02 07:45 . 2010-02-23 18:48 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-28 19:22 . 2009-12-15 22:03 1923864 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-01-23 16:06 . 2009-12-15 22:02 710976 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-18 23:29 . 2010-02-12 12:46 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-12 12:46 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-12 12:46 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-12 12:46 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-12 12:46 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-12 12:46 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-12 12:46 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-12 12:46 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-08 03:18 . 2010-02-12 12:46 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-12 12:46 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-05 2010864]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"Google Update"="c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-06 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-04 98304]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29 1086856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Zsolt^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Zsolt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-14 18:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 00:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-20 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-20 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-20 66632]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-04 172032]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2009-12-14 93320]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001Core.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-261453740-1934816615-1763482817-1001UA.job
- c:\users\Zsolt\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-06 11:25]

2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]

2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-13 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Zsolt\AppData\Roaming\Mozilla\Firefox\Profiles\890496yn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Zsolt\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.bpbz.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccessc:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x856C8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x846b8910
QueryNameProcedure -> 0x846b8aa0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2344)
c:\progra~1\mcafee\sitead~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-04-07 23:07:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 22:07

Pre-Run: 44,618,502,144 bytes free
Post-Run: 44,540,444,672 bytes free

- - End Of File - - 0032EE48846024A0BBB65B51E221C908



Thanks for your help,
cobo
 
Oh and one more strange thing. I downloaded the combofix.exe to the desktop and it was there even after the reboot, but it disappeared afterwards. Or maybe that's normal?
 
Hi cobo76
but it disappeared afterwards. Or maybe that's normal?
Click to expand...
yes it is "normal"

Please download gmer.zip from Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Thanks peku006
 
Well, I tried to run it, but just couldn't get it to work.
Attempt 1-3: pc simply rebooted without a blue screen even before I could hit Start.
Attempt 4: The scan started then the pc rebooted after couple of seconds
Attempt 5: Same as attempt 4 but I noted that the scan hung on \Ntfs before rebooting
Attempt 6-7: Blue screen reboot

After the first attempt I tried to rename the file thinking that something blocking it, but as you can see, it didn't make any change.
 
I tried again in normal mode and in safe mode with no luck.
In safe mode windows at least it gave me a reason code:

Problem signature:
Problem Event Name: APPCRASH
Application Name: gmer.exe
Application Version: 1.0.15.15281
Application Timestamp: 4b2763f0
Fault Module Name: gmer.exe
Fault Module Version: 1.0.15.15281
Fault Module Timestamp: 4b2763f0
Exception Code: c0000005
Exception Offset: 0000c4b1
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789


Hope it helps
 
Hi cobo76

Ok,let´s try this

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
*atapi*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Thanks peku006
 
Hi peku006,

Here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:16 on 08/04/2010 by Zsolt (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"
C:\Windows\ERDNT\cache\atapi.sys --a--- 21584 bytes [22:06 07/04/2010] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
C:\Windows\System32\en-US\WinSATAPI.dll.mui --a--- 6656 bytes [04:55 14/07/2009] [02:07 14/07/2009] 330A6E9A4A6FA657EBB094FCD82EFA9D
C:\Windows\System32\WinSATAPI.dll --a--- 335872 bytes [23:22 13/07/2009] [01:16 14/07/2009] 62D6C0C69ADFB00C3EB9A0CC81F39EE6
C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.1.7600.16385_none_e374b83d58edf937\WinSATAPI.dll --a--- 335872 bytes [23:22 13/07/2009] [01:16 14/07/2009] 62D6C0C69ADFB00C3EB9A0CC81F39EE6
C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_89009cca9c91feec\WinSATAPI.dll.mui --a--- 6656 bytes [04:55 14/07/2009] [02:07 14/07/2009] 330A6E9A4A6FA657EBB094FCD82EFA9D
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

-=End Of File=-


Thanks for your continuous help. I'll be away till Monday evening (12 Apr) and will log in as soon as I get home.
cobo76
 
Hi cobo76

Please download GooredFix by jpshortstuff from one of the links below and save it to your Desktop
Link 1 | Link 2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click GooredFix.exe.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear.
  • Please post the contents of that log in your next reply (the log can also be found on your desktop, named GooredFix.txt).

Thanks peku006
 
Hello peku006,

I'm back, here's the requested log:


GooredFix by jpshortstuff (08.01.10.1)
Log created at 18:07 on 13/04/2010 (Zsolt)
Firefox version 3.6.3 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:03 25/10/2009]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [20:10 17/02/2010]

C:\Users\Zsolt\Application Data\Mozilla\Firefox\Profiles\890496yn.default\extensions\
personas@christopher.beard [18:19 18/03/2010]
ramback@pavlov.net [13:02 26/10/2009]
silvermelxt@pardal.de [13:51 03/11/2009]
toolbar@alot.com [19:29 17/02/2010]
{069FB356-C69F-7349-D092-AB28AF882F01} [23:15 13/02/2010]
{20a82645-c095-46ed-80e3-08825760534b} [13:02 26/10/2009]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [16:34 13/04/2010]
{dc572301-7619-498c-a57d-39143191b318} [20:12 03/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [10:09 13/02/2010]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3" [19:44 25/11/2009]

-=E.O.F=-
 
Hi cobo76

1 - Run Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
    On the Scanner tab:
    1. Make sure the "Perform full scan" option is selected.
    2. Then click on the Scan button.
    3. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    4. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    5. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    6. Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

description of any problems you are having with your PC

Thanks peku006
 
Hello Peku006,

The requested log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3987

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/04/2010 18:13:56
mbam-log-2010-04-14 (18-13-56).txt

Scan type: Full scan (C:\|D:\|G:\|)
Objects scanned: 240052
Time elapsed: 51 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Documents\Received files\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
D:\Documents\Received files\Photoshop (Keygen and tutorial)\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.


******************************************************

The computer works fine in general, but sometimes does strange things. Yesterday the Win7 Gadgets menu didn't start and couldn't get them work, but it works fine now. Google results still redirect time to time to unharmful pages like:
http://uk.ask.com/web?q=samsung le40c650 revi&siteid=10000857&qsrc=999&l=dis

http://prodomainmoney.com/result.ph...8b1fd96f77f4c365687064120b8825f99e5&Submit=Go

(in both cases I was googling a samsung tv.) The common feature is that it redirects somewhere for only a second (with an empty screen) then jumps to some unharmful page. I made a screenshot on that first redirection phase:

http://forums.spybot.info/attachment.php?attachmentid=4804&stc=1&d=1271267559

Thanks for your help,
cobo76
 
Hi cobo76

Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Thanks peku006
 
Hi there,

Log:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----


Thanks,
cobo
 
Hi cobo

why you had these ?

D:\Documents\Received files\Keygen.exe
D:\Documents\Received files\Photoshop (Keygen and tutorial)\Keygen.exe

Thanks peku006
 
Hello peku006,

I must have received them but they're all
deleted now, I doublechecked. They're not needed. Why?

cobo76
 
Hi cobo

We do not support the use of illegal Pirated/Warez/Cracked software

1 - Clean temp files

  • Please download TFC to your desktop
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go here then click on:
    EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on:
    EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
    EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
    EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006
 
Last edited:
You must log in or register to reply here.
Back
Top