Jump to content

Recommended Posts

A while ago, Google search links redirected me to random websites. Since then, I've cleaned out my computer to the best of my knowledge, and the problem seemed to have been cleared up.

A short time after that, I realized the problem hasn't been completely removed. Once in a while, I would get redirected from the Google search links, so I decided to run Malwarebytes one more time. I updated Malwarebytes and it found two infections, and after removal, I ran it again to find a clean log.

After the second Malwarebytes scan, I went and scanned the computer using ESET Online scanner, and it came back with ten infections, but only eight were removed. The two remaining threats were Win32/Spy.Ursnif.A Virus, with one target being C:\WINDOWS\system32\termsrv.dll, and the other being Operating Memory.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 2:58:23 PM, on 2/12/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Microsoft Office 97\Office\OSA.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: CurseClientStartup.ccip

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

--

End of file - 9195 bytes

Link to post
Share on other sites

Hello AtWitsEnd

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.*

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    ahcix86s.sys

    nvrd32.sys

    /md5stop

    %systemroot%\*. /mp /s

    %systemroot%\System32\config\*.sav

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Thanks for the quick response.

For some reason, OTL did not come back with an Extras.txt. I tried looking for it but I couldn't find it, sorry.

OTL logfile created on: 2/13/2010 5:14:20 PM - Run 2

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Username\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 555.00 Mb Available Physical Memory | 54.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 145.75 Gb Total Space | 73.66 Gb Free Space | 50.54% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: D7FXS3C1

Current User Name: Username

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Username\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Motive\McciCMService.exe (Alcatel-Lucent)

PRC - C:\Program Files\Winamp\winampa.exe ()

PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe (Microsoft Corporation)

PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)

PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe ()

PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()

PRC - C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.)

PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

PRC - C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

PRC - C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()

PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE ()

PRC - C:\Program Files\Microsoft Office 97\Office\OSA.EXE ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Username\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (McciCMService) -- C:\Program Files\Common Files\Motive\McciCMService.exe (Alcatel-Lucent)

SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

SRV - (aawservice) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)

SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)

SRV - (wampapache) -- c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe (Apache Software Foundation)

SRV - (wampmysqld) -- c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe ()

SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (iastor) -- C:\WINDOWS\system32\drivers\iastor.sys (Intel Corporation)

DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)

DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (tap0901) -- C:\WINDOWS\system32\drivers\tap0901.sys (The OpenVPN Project)

DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)

DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)

DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)

DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)

DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)

DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)

DRV - (npkcusb) -- C:\Program Files\Nexon\MapleStoryV55\npkcusb.sys (INCA Internet Co., Ltd.)

DRV - (npkcrypt) -- C:\Program Files\Nexon\MapleStoryV55\npkcrypt.sys (INCA Internet Co., Ltd.)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)

DRV - (ASCTRM) -- C:\WINDOWS\system32\drivers\asctrm.sys (Windows ® 2000 DDK provider)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)

DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )

DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)

DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)

DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)

DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)

DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)

DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)

DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)

DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)

DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)

DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)

DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)

DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)

DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)

DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)

DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)

DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)

DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

DRV - (E100B) Intel® -- C:\WINDOWS\system32\drivers\e100b325.sys (Intel Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061115

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5

FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.17

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/10 22:03:11 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 00:22:15 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 15:08:16 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/15 14:29:38 | 000,000,000 | ---D | M]

[2008/08/31 11:19:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Mozilla\Extensions

[2008/08/31 11:19:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Username\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/02/12 10:29:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions

[2009/09/02 11:52:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/03/27 14:51:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}-trash

[2010/02/12 10:29:04 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

[2009/10/11 23:54:04 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}(2)

[2010/02/12 10:29:08 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/02/12 10:29:07 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2009/11/05 17:31:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\extensions\firebug@software.joehewitt.com

[2010/02/11 23:19:38 | 000,001,137 | ---- | M] () -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\searchplugins\dictionarycom.xml

[2009/01/29 21:40:37 | 000,002,006 | ---- | M] () -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\searchplugins\urban-dictionary.xml

[2008/06/03 15:34:49 | 000,001,628 | ---- | M] () -- C:\Documents and Settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\searchplugins\youtube.xml

[2010/02/13 17:13:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/01/06 17:48:34 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/11/04 19:14:13 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}

[2008/11/10 22:03:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

[2009/01/26 13:19:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

[2010/01/06 17:48:28 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/01/06 17:48:28 | 000,134,616 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2006/09/03 13:12:48 | 000,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll

[2008/11/10 23:38:54 | 000,663,552 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

[2008/11/10 05:43:30 | 000,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

[2010/01/06 17:48:29 | 000,065,496 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2009/03/16 22:29:58 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2009/11/17 19:00:51 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2005/08/09 10:42:53 | 000,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll

[2007/04/16 09:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

[2009/08/04 20:12:00 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2009/08/04 20:12:00 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2009/08/04 20:12:00 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2009/08/04 20:12:00 | 000,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2009/08/04 20:12:00 | 000,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2009/08/04 20:12:00 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2009/08/04 20:12:00 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/02/01 22:11:01 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)

O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.)

O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()

O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()

O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\Username\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\Username\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

O4 - Startup: C:\Documents and Settings\Username\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE ()

O4 - Startup: C:\Documents and Settings\Username\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Username\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/10 11:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/13 17:11:52 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Username\Desktop\OTL.exe

[2010/02/12 14:58:11 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro

[2010/02/12 14:29:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/02/12 12:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/02/10 16:11:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Username\Recent

[2010/02/10 16:10:58 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/02/03 13:04:01 | 000,000,000 | ---D | C] -- C:\Program Files\Combined Community Codec Pack

[2010/02/01 22:00:50 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/02/01 21:27:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/02/01 19:24:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/02/01 19:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/02/01 19:24:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2010/02/01 19:23:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/02/01 18:52:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2010/02/01 18:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/02/01 11:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Username\Desktop\You're Beautiful

[2010/02/01 00:27:30 | 000,000,000 | ---D | C] -- C:\Program Files\DirectVobSub

[2010/01/31 23:34:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\mycodec

[2010/01/31 23:34:33 | 000,000,000 | ---D | C] -- C:\Program Files\MyVideoConverter

[2010/01/15 14:21:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/01/15 14:21:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/01/15 14:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/01/15 14:16:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared

[2009/12/12 18:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

[2008/06/07 15:15:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2004/08/10 10:57:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/13 17:11:52 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Username\Desktop\OTL.exe

[2010/02/13 16:46:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/02/13 16:46:04 | 000,253,748 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml

[2010/02/13 16:45:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/02/13 16:45:54 | 1071,685,632 | -HS- | M] () -- C:\hiberfil.sys

[2010/02/13 00:13:49 | 008,126,464 | ---- | M] () -- C:\Documents and Settings\Username\NTUSER.DAT

[2010/02/13 00:13:27 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Username\ntuser.ini

[2010/02/12 14:58:16 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\HiJackThis.lnk

[2010/02/12 14:57:47 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\HijackThis.msi

[2010/02/12 14:14:26 | 000,069,459 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\ESET Online Scanner.JPG

[2010/02/12 12:55:21 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/02/12 12:28:57 | 000,884,736 | ---- | M] () -- C:\ffastunT.ffl

[2010/02/12 00:29:40 | 000,245,760 | -H-- | M] () -- C:\ffastun.ffo

[2010/02/12 00:29:40 | 000,004,536 | -H-- | M] () -- C:\ffastun.ffa

[2010/02/12 00:29:39 | 004,714,496 | -H-- | M] () -- C:\ffastun0.ffx

[2010/02/12 00:29:39 | 000,884,736 | -H-- | M] () -- C:\ffastun.ffl

[2010/02/10 16:12:52 | 000,096,508 | ---- | M] () -- C:\Documents and Settings\Username\My Documents\cc_20100210_161232.reg

[2010/02/10 13:04:17 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Username\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/09 17:51:49 | 000,001,571 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\Paint.lnk

[2010/02/07 23:58:02 | 000,404,521 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\0207101557a.jpg

[2010/02/07 23:57:46 | 000,474,648 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\0207101557.jpg

[2010/02/07 23:15:46 | 000,015,434 | ---- | M] () -- C:\Documents and Settings\Username\Application Data\wklnhst.dat

[2010/02/02 11:03:31 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\Curse Client.appref-ms

[2010/02/01 22:11:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/02/01 22:00:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/02/01 21:03:24 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Vbiko.dat

[2010/02/01 19:54:17 | 000,246,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys

[2010/02/01 18:50:06 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Icucoma.bin

[2010/01/31 23:40:50 | 000,005,527 | ---- | M] () -- C:\WINDOWS\System32\drivers\mycodec\449233121.gif

[2010/01/31 23:34:49 | 000,005,527 | ---- | M] () -- C:\WINDOWS\System32\drivers\mycodec\445625621.gif

[2010/01/30 14:48:29 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\Username\Desktop\Runes of Magic.lnk

[2010/01/15 14:21:51 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/12 14:58:11 | 000,002,453 | ---- | C] () -- C:\Documents and Settings\Username\Desktop\HiJackThis.lnk

[2010/02/12 14:57:43 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\Username\Desktop\HijackThis.msi

[2010/02/12 14:14:26 | 000,069,459 | ---- | C] () -- C:\Documents and Settings\Username\Desktop\ESET Online Scanner.JPG

[2010/02/12 12:25:40 | 000,884,736 | ---- | C] () -- C:\ffastunT.ffl

[2010/02/10 16:12:38 | 000,096,508 | ---- | C] () -- C:\Documents and Settings\Username\My Documents\cc_20100210_161232.reg

[2010/02/07 16:00:23 | 000,474,648 | ---- | C] () -- C:\Documents and Settings\Username\Desktop\0207101557.jpg

[2010/02/07 16:00:23 | 000,404,521 | ---- | C] () -- C:\Documents and Settings\Username\Desktop\0207101557a.jpg

[2010/02/03 12:41:47 | 000,129,024 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE

[2010/02/01 22:00:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/02/01 22:00:51 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/02/01 18:50:06 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Vbiko.dat

[2010/02/01 18:50:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Icucoma.bin

[2010/01/31 23:40:50 | 000,005,527 | ---- | C] () -- C:\WINDOWS\System32\drivers\mycodec\449233121.gif

[2010/01/31 23:34:49 | 000,005,527 | ---- | C] () -- C:\WINDOWS\System32\drivers\mycodec\445625621.gif

[2010/01/15 14:21:51 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/12/07 01:41:47 | 000,234,912 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2009/06/29 22:18:49 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll

[2008/11/09 20:22:09 | 000,015,434 | ---- | C] () -- C:\Documents and Settings\Username\Application Data\wklnhst.dat

[2008/08/02 16:00:37 | 001,073,152 | ---- | C] () -- C:\WINDOWS\System32\libmysql_c.dll

[2007/11/28 10:34:56 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2007/09/24 20:16:18 | 000,002,828 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2007/09/24 20:16:18 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\F76360A42E.sys

[2007/01/24 15:49:21 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Username\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/11/21 20:48:51 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini

[2006/11/21 20:00:17 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Username\Application Data\dvd.bmk

[2006/11/21 19:55:58 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Username\Local Settings\Application Data\fusioncache.dat

[2006/11/21 19:50:04 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2006/11/15 17:21:57 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/11/15 17:15:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/11/15 17:09:01 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/11/15 16:42:46 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

[2006/11/15 16:42:16 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/11/10 06:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/10 11:12:05 | 000,000,788 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/10 11:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2003/09/23 04:14:42 | 001,099,264 | ---- | C] () -- C:\WINDOWS\System32\cygxml2-2.dll

[2003/08/10 06:59:20 | 000,980,992 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll

[2003/08/08 16:28:16 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll

[2003/01/07 13:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[1996/12/08 23:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

[1996/12/08 23:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/06/18 12:03:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore

[2008/07/13 20:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software

[2009/03/16 22:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files

[2008/06/21 08:49:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap

[2008/08/12 15:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard

[2009/06/05 21:03:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!

[2009/06/06 00:03:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/12/08 11:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tencent

[2009/06/18 12:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2009/12/12 15:37:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindSolutions

[2006/11/15 17:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO

[2009/11/17 19:02:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/06/24 18:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\.purple

[2006/11/21 20:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\acccore

[2007/01/26 21:29:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Aim

[2009/06/30 18:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Auslogics

[2009/12/12 15:38:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\CopyTransPhoto

[2009/01/21 22:48:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\godzHell

[2007/07/26 11:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Nexon

[2007/09/25 20:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\NJStar

[2008/01/27 00:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Opera

[2009/06/18 12:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\QQ Games Plugin

[2009/10/17 20:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\SystemRequirementsLab

[2008/12/01 01:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Template

[2010/02/10 20:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\uTorrent

[2007/01/27 23:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\Viewpoint

[2009/12/12 15:37:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Username\Application Data\WindSolutions

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2004/08/10 11:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2007/11/16 17:05:42 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2010/02/01 22:00:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr

[2004/08/10 11:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2008/07/13 20:03:38 | 000,000,000 | ---- | M] () -- C:\DBS.TXT

[2006/11/15 16:46:28 | 000,006,257 | RH-- | M] () -- C:\dell.sdr

[2010/02/12 00:29:40 | 000,004,536 | -H-- | M] () -- C:\ffastun.ffa

[2010/02/12 00:29:39 | 000,884,736 | -H-- | M] () -- C:\ffastun.ffl

[2010/02/12 00:29:40 | 000,245,760 | -H-- | M] () -- C:\ffastun.ffo

[2010/02/12 00:29:39 | 004,714,496 | -H-- | M] () -- C:\ffastun0.ffx

[2010/02/12 12:28:57 | 000,884,736 | ---- | M] () -- C:\ffastunT.ffl

[2010/02/13 16:45:54 | 1071,685,632 | -HS- | M] () -- C:\hiberfil.sys

[2007/11/17 13:38:00 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1

[2004/08/10 11:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS

[2009/06/18 12:05:56 | 000,004,038 | -H-- | M] () -- C:\IPH.PH

[2004/08/10 11:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS

[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2004/08/04 03:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr

[2010/02/13 16:45:53 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

[2006/11/15 17:17:08 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini

[2010/02/12 12:56:45 | 000,029,450 | ---- | M] () -- C:\TDSSKiller.2.2.3_12.02.2010_12.56.44_log.txt

< MD5 for: AGP440.SYS >

[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys

[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS

[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\AGP440.SYS

[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >

[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys

[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll

[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >

[2006/07/06 09:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\onboard\iastor.sys

[2006/07/06 04:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys

[2006/07/06 04:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys

[2010/02/01 19:54:17 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iastor.sys

[2006/07/06 09:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\iaStor.sys

[2006/07/06 05:01:32 | 000,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: NETLOGON.DLL >

[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll

[2009/02/06 10:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2009/02/06 10:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll

[2009/02/06 10:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll

[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll

[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

[2004/08/10 10:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2004/08/10 10:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2004/08/10 10:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.dll /lockedfiles >

[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-13 17:36:40

Windows 5.1.2600 Service Pack 2

Running: xwb82ov6.exe; Driver: C:\DOCUME~1\USER~1\LOCALS~1\Temp\kwtoapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEB02B618]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEB02B4D4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEB02B9B2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEB02B0AC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEB02B5AE]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEB02AFEC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEB02B050]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEB02B6CE]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEB02B68E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEB02B80E]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat B6C70C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi I see you have run tdsskiller please post the log from it and from the Eset scan log it can be found:

C:\Program Files\ESET\ESET Online Scanner\log.txt < there.

Please post the contents of those logs and I am sure you are still getting redirected at this point correct?

Link to post
Share on other sites

Well, the redirects would happen randomly, but I haven't been on the computer much the past few days so I'm not certain if the redirects are still happening. I'll play around with Google and see what happens.

12:56:44:968 2320 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00

12:56:44:968 2320 ================================================================================

12:56:44:968 2320 SystemInfo:

12:56:44:968 2320 OS Version: 5.1.2600 ServicePack: 2.0

12:56:44:968 2320 Product type: Workstation

12:56:44:968 2320 ComputerName: D7FXS3C1

12:56:44:968 2320 UserName: Wan You Mei

12:56:44:968 2320 Windows directory: C:\WINDOWS

12:56:44:968 2320 Processor architecture: Intel x86

12:56:44:968 2320 Number of processors: 2

12:56:44:968 2320 Page size: 0x1000

12:56:44:968 2320 Boot type: Normal boot

12:56:44:968 2320 ================================================================================

12:56:44:968 2320 UnloadDriverW: NtUnloadDriver error 2

12:56:44:968 2320 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

12:56:44:968 2320 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

12:56:44:984 2320 UtilityInit: KLMD drop and load success

12:56:44:984 2320 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

12:56:44:984 2320 UtilityInit: KLMD open success

12:56:44:984 2320 UtilityInit: Initialize success

12:56:44:984 2320

12:56:44:984 2320 Scanning Services ...

12:56:44:984 2320 CreateRegParser: Registry parser init started

12:56:44:984 2320 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

12:56:44:984 2320 CreateRegParser: DisableWow64Redirection error

12:56:44:984 2320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

12:56:44:984 2320 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

12:56:44:984 2320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:56:44:984 2320 wfopen_ex: Trying to KLMD file open

12:56:44:984 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

12:56:44:984 2320 wfopen_ex: File opened ok (Flags 2)

12:56:44:984 2320 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: AD49D8

12:56:44:984 2320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

12:56:44:984 2320 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

12:56:44:984 2320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

12:56:44:984 2320 wfopen_ex: Trying to KLMD file open

12:56:44:984 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

12:56:44:984 2320 wfopen_ex: File opened ok (Flags 2)

12:56:44:984 2320 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: AD4A80

12:56:44:984 2320 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

12:56:44:984 2320 CreateRegParser: EnableWow64Redirection error

12:56:44:984 2320 CreateRegParser: RegParser init completed

12:56:45:125 2320 GetAdvancedServicesInfo: Raw services enum returned 356 services

12:56:45:125 2320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

12:56:45:125 2320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

12:56:45:125 2320

12:56:45:125 2320 Scanning Kernel memory ...

12:56:45:125 2320 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

12:56:45:125 2320 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86767F38

12:56:45:125 2320 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects

12:56:45:125 2320

12:56:45:125 2320 DetectCureTDL3: DEVICE_OBJECT: 86785030

12:56:45:125 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86785030

12:56:45:125 2320 KLMD_ReadMem: Trying to ReadMemory 0x86785030[0x38]

12:56:45:125 2320 DetectCureTDL3: DRIVER_OBJECT: 86767F38

12:56:45:125 2320 KLMD_ReadMem: Trying to ReadMemory 0x86767F38[0xA8]

12:56:45:125 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1008D80[0x18]

12:56:45:125 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

12:56:45:125 2320 DetectCureTDL3: IrpHandler (0) addr: F769AC30

12:56:45:125 2320 DetectCureTDL3: IrpHandler (1) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (2) addr: F769AC30

12:56:45:125 2320 DetectCureTDL3: IrpHandler (3) addr: F7694D9B

12:56:45:125 2320 DetectCureTDL3: IrpHandler (4) addr: F7694D9B

12:56:45:125 2320 DetectCureTDL3: IrpHandler (5) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (6) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (7) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (8) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (9) addr: F7695366

12:56:45:125 2320 DetectCureTDL3: IrpHandler (10) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (11) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (12) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (13) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (14) addr: F769544D

12:56:45:125 2320 DetectCureTDL3: IrpHandler (15) addr: F7698FC3

12:56:45:125 2320 DetectCureTDL3: IrpHandler (16) addr: F7695366

12:56:45:125 2320 DetectCureTDL3: IrpHandler (17) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (18) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (19) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (20) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (21) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (22) addr: F7696EF3

12:56:45:125 2320 DetectCureTDL3: IrpHandler (23) addr: F769BA24

12:56:45:125 2320 DetectCureTDL3: IrpHandler (24) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (25) addr: 804F4544

12:56:45:125 2320 DetectCureTDL3: IrpHandler (26) addr: 804F4544

12:56:45:125 2320 TDL3_FileDetect: Processing driver: Disk

12:56:45:125 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:125 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:156 2320 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

12:56:45:156 2320

12:56:45:156 2320 DetectCureTDL3: DEVICE_OBJECT: 867868A0

12:56:45:156 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867868A0

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x867868A0[0x38]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT: 86767F38

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x86767F38[0xA8]

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1008D80[0x18]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

12:56:45:156 2320 DetectCureTDL3: IrpHandler (0) addr: F769AC30

12:56:45:156 2320 DetectCureTDL3: IrpHandler (1) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (2) addr: F769AC30

12:56:45:156 2320 DetectCureTDL3: IrpHandler (3) addr: F7694D9B

12:56:45:156 2320 DetectCureTDL3: IrpHandler (4) addr: F7694D9B

12:56:45:156 2320 DetectCureTDL3: IrpHandler (5) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (6) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (7) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (8) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (9) addr: F7695366

12:56:45:156 2320 DetectCureTDL3: IrpHandler (10) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (11) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (12) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (13) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (14) addr: F769544D

12:56:45:156 2320 DetectCureTDL3: IrpHandler (15) addr: F7698FC3

12:56:45:156 2320 DetectCureTDL3: IrpHandler (16) addr: F7695366

12:56:45:156 2320 DetectCureTDL3: IrpHandler (17) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (18) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (19) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (20) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (21) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (22) addr: F7696EF3

12:56:45:156 2320 DetectCureTDL3: IrpHandler (23) addr: F769BA24

12:56:45:156 2320 DetectCureTDL3: IrpHandler (24) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (25) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (26) addr: 804F4544

12:56:45:156 2320 TDL3_FileDetect: Processing driver: Disk

12:56:45:156 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:156 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:156 2320 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

12:56:45:156 2320

12:56:45:156 2320 DetectCureTDL3: DEVICE_OBJECT: 86786C68

12:56:45:156 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86786C68

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x86786C68[0x38]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT: 86767F38

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x86767F38[0xA8]

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1008D80[0x18]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

12:56:45:156 2320 DetectCureTDL3: IrpHandler (0) addr: F769AC30

12:56:45:156 2320 DetectCureTDL3: IrpHandler (1) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (2) addr: F769AC30

12:56:45:156 2320 DetectCureTDL3: IrpHandler (3) addr: F7694D9B

12:56:45:156 2320 DetectCureTDL3: IrpHandler (4) addr: F7694D9B

12:56:45:156 2320 DetectCureTDL3: IrpHandler (5) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (6) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (7) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (8) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (9) addr: F7695366

12:56:45:156 2320 DetectCureTDL3: IrpHandler (10) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (11) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (12) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (13) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (14) addr: F769544D

12:56:45:156 2320 DetectCureTDL3: IrpHandler (15) addr: F7698FC3

12:56:45:156 2320 DetectCureTDL3: IrpHandler (16) addr: F7695366

12:56:45:156 2320 DetectCureTDL3: IrpHandler (17) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (18) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (19) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (20) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (21) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (22) addr: F7696EF3

12:56:45:156 2320 DetectCureTDL3: IrpHandler (23) addr: F769BA24

12:56:45:156 2320 DetectCureTDL3: IrpHandler (24) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (25) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (26) addr: 804F4544

12:56:45:156 2320 TDL3_FileDetect: Processing driver: Disk

12:56:45:156 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:156 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

12:56:45:156 2320 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

12:56:45:156 2320

12:56:45:156 2320 DetectCureTDL3: DEVICE_OBJECT: 86767778

12:56:45:156 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86767778

12:56:45:156 2320 DetectCureTDL3: DEVICE_OBJECT: 86787030

12:56:45:156 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86787030

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x86787030[0x38]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT: 867DE5B8

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0x867DE5B8[0xA8]

12:56:45:156 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1002338[0x1C]

12:56:45:156 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor

12:56:45:156 2320 DetectCureTDL3: IrpHandler (0) addr: F7432FC2

12:56:45:156 2320 DetectCureTDL3: IrpHandler (1) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (2) addr: F7432FC2

12:56:45:156 2320 DetectCureTDL3: IrpHandler (3) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (4) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (5) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (6) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (7) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (8) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (9) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (10) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (11) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (12) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (13) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (14) addr: F7436CBE

12:56:45:156 2320 DetectCureTDL3: IrpHandler (15) addr: F7436F80

12:56:45:156 2320 DetectCureTDL3: IrpHandler (16) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (17) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (18) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (19) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (20) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (21) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (22) addr: F743B884

12:56:45:156 2320 DetectCureTDL3: IrpHandler (23) addr: F743B9E4

12:56:45:156 2320 DetectCureTDL3: IrpHandler (24) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (25) addr: 804F4544

12:56:45:156 2320 DetectCureTDL3: IrpHandler (26) addr: 804F4544

12:56:45:156 2320 TDL3_FileDetect: Processing driver: iastor

12:56:45:156 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\iastor.sys

12:56:45:156 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\iastor.sys

12:56:45:187 2320 TDL3_FileDetect: C:\WINDOWS\system32\drivers\iastor.sys - Verdict: Clean

12:56:45:187 2320

12:56:45:187 2320 Completed

12:56:45:187 2320

12:56:45:187 2320 Results:

12:56:45:187 2320 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

12:56:45:187 2320 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

12:56:45:187 2320 File objects infected / cured / cured on reboot: 0 / 0 / 0

12:56:45:187 2320

12:56:45:187 2320 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

12:56:45:187 2320 UtilityDeinit: KLMD(ARK) unloaded successfully

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=4dca96717732f6458ee1960487da7f58

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-02-12 10:10:05

# local_time=2010-02-12 02:10:05 (-0800, Pacific Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=769 16775146 100 92 8816176 201375475 41415422 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=86117

# found=10

# cleaned=8

# scan_time=3886

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\4c6bf587-3bccf3d1 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Nexon\MapleStoryV55\FinalStory.exe probably a variant of Win32/Spy.Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Nexon\MapleStoryV55\KarmaMS.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Nexon\MapleStoryV55\Launcher.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Nexon\MapleStoryV55\NoobMS.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\Cheat Engine\dbk32.sys.vir Win32/HackTool.CheatEngine application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Spy.Ursnif.A virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.SJ virus (deleted - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\termsrv.dll Win32/Spy.Ursnif.A virus (unable to clean) 00000000000000000000000000000000 I

${Memory} Win32/Spy.Ursnif.A virus 00000000000000000000000000000000 I

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    termsrv.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 12:02 on 14/02/2010 by (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"

C:\i386\termsrv.dll --a--- 295424 bytes [00:23 26/11/2006] [11:00 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll --a--- 295424 bytes [20:12 22/08/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F

C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:01 10/08/2004] [22:16 13/09/2008] 40FFC19A8D4875E9E19CECDC76EF9201

-=End Of File=-

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

ComboFix 10-02-12.01 - 02/14/2010 12:46:07.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.620 [GMT -8:00]

Running from: c:\documents and settings\Username\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1229 [VPS 081010-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))

.

2010-02-12 22:58 . 2010-02-12 22:58 388096 ----a-r- c:\documents and settings\Username\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-12 22:58 . 2010-02-12 22:58 -------- d-----w- c:\program files\TrendMicro

2010-02-12 20:59 . 2010-02-12 20:59 -------- d-----w- c:\program files\ESET

2010-02-11 00:10 . 2010-02-11 00:10 -------- d-----w- c:\program files\CCleaner

2010-02-03 21:04 . 2010-02-03 21:04 -------- d-----w- c:\program files\Combined Community Codec Pack

2010-02-03 20:41 . 1998-04-30 22:56 129024 ----a-w- c:\windows\UNWISE.EXE

2010-02-02 03:24 . 2010-02-02 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-02 02:50 . 2010-02-02 05:03 120 ----a-w- c:\windows\Vbiko.dat

2010-02-02 02:50 . 2010-02-02 02:50 0 ----a-w- c:\windows\Icucoma.bin

2010-02-01 08:27 . 2010-02-01 08:27 -------- d-----w- c:\program files\DirectVobSub

2010-02-01 07:34 . 2010-02-01 07:40 -------- d-----w- c:\windows\system32\drivers\mycodec

2010-02-01 07:34 . 2010-02-01 07:44 -------- d-----w- c:\program files\MyVideoConverter

2010-01-15 22:21 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-15 22:21 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-15 22:21 . 2010-01-15 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-15 22:16 . 2010-01-15 22:34 -------- d-----w- c:\program files\Common Files\DivX Shared

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-12 18:36 . 2009-06-13 06:38 -------- d-----w- c:\program files\Runes of Magic

2010-02-11 04:05 . 2009-03-27 04:17 -------- d-----w- c:\documents and settings\Username\Application Data\uTorrent

2010-02-11 00:12 . 2009-06-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-08 07:15 . 2008-11-10 04:22 15434 ----a-w- c:\documents and settings\Username\Application Data\wklnhst.dat

2010-02-03 07:21 . 2009-12-07 09:41 234912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-02 06:09 . 2009-06-30 06:18 -------- d-----w- c:\program files\Cheat Engine

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-02 03:54 . 2006-11-16 00:42 246784 ----a-w- c:\windows\system32\drivers\iastor.sys

2010-02-02 03:23 . 2010-02-02 03:23 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2010-01-26 23:20 . 2009-11-23 23:33 79488 ----a-w- c:\documents and settings\Username\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-01-17 02:23 . 2008-07-22 07:15 -------- d-----w- c:\program files\DivX

2010-01-14 06:14 . 2009-06-18 20:04 -------- d-----w- c:\program files\AIMTunes

2010-01-11 07:07 . 2009-11-05 03:14 -------- d-----w- c:\documents and settings\Username\Application Data\Skype

2010-01-11 07:07 . 2009-11-05 03:19 -------- d-----w- c:\documents and settings\Username\Application Data\skypePM

2010-01-04 02:51 . 2010-01-04 02:34 -------- d-----w- c:\program files\Audacity

2010-01-04 01:53 . 2008-07-14 04:46 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\mobile PhoneTools\faxres.cmd

2010-01-02 10:49 . 2009-12-08 19:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-31 16:14 . 2004-08-10 18:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 02:40 . 2008-11-01 22:37 39 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences.dat

2009-12-24 02:38 . 2009-09-20 22:35 69 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences2.dat

2009-12-22 05:35 . 2004-08-10 18:51 668672 ------w- c:\windows\system32\wininet.dll

2009-12-22 05:35 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 18:11 . 2004-08-10 18:51 2142720 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2004-08-04 04:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 14:41 . 2006-11-16 00:41 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:33 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-21 16:36 . 2004-08-10 18:50 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 12:51 . 2009-11-20 12:51 98304 ----a-w- c:\windows\system32\DirShowEXDD.dll

2008-09-22 02:56 . 2007-09-25 04:16 88 --sh--r- c:\windows\system32\F76360A42E.sys

2008-09-22 02:56 . 2007-09-25 04:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

<pre>
c:\program files\Nexon\MapleStoryV55\KISSMS[BETA] .exe
</pre>

------- Sigcheck -------

[-] 2008-09-13 . 40FFC19A8D4875E9E19CECDC76EF9201 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-16 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-16 169984]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Username\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

CurseClientStartup.ccip [2009-12-7 0]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office 97\Office\FINDFAST.EXE [1996-12-8 111376]

Office Startup.lnk - c:\program files\Microsoft Office 97\Office\OSA.EXE [1996-12-8 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike\\hl.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero deleted scenes\\hl.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\steam.exe"=

"c:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=

"c:\\Program Files\\Nexon\\MaplestoryV60\\ChickenMS_v60_NO-DC.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Username\\Desktop\\New Folder\\utorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Username\\Local Settings\\Apps\\2.0\\Q9YJLAAL.DW1\\OKO8EB2G.PJK\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21216:TCP"= 21216:TCP:BitComet 21216 TCP

"21216:UDP"= 21216:UDP:BitComet 21216 UDP

"10211:TCP"= 10211:TCP:BitComet 10211 TCP

"10211:UDP"= 10211:UDP:BitComet 10211 UDP

"58295:TCP"= 58295:TCP:Pando Media Booster

"58295:UDP"= 58295:UDP:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/12/2008 3:28 PM 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2008 3:28 PM 20560]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/20/2007 8:07 PM 24652]

S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = www.msn.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 12:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2352)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-02-14 12:51:16

ComboFix-quarantined-files.txt 2010-02-14 20:51

Pre-Run: 79,018,848,256 bytes free

Post-Run: 79,028,903,936 bytes free

- - End Of File - - F403C7CF066D2BF0376AA4D333C36D98

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\i386\termsrv.dll|C:\WINDOWS\system32\termsrv.dll
C:\i386\termsrv.dll|c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

File::
c:\program files\Nexon\MapleStoryV55\KISSMS[BETA] .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Link to post
Share on other sites

The first scan crashed the computer, resulting in a blue screen. I ran it again and the results are

ComboFix 10-02-12.01 - Username 02/14/2010 15:04:56.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.639 [GMT -8:00]

Running from: c:\documents and settings\Username\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Username\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1229 [VPS 081010-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\program files\Nexon\MapleStoryV55\KISSMS[bETA] .exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\program files\Nexon\MapleStoryV55\KISSMS[bETA] .exe

.

--------------- FCopy ---------------

c:\i386\termsrv.dll --> c:\windows\system32\termsrv.dll

c:\i386\termsrv.dll --> c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))

.

2010-02-12 22:58 . 2010-02-12 22:58 388096 ----a-r- c:\documents and settings\Username\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-12 22:58 . 2010-02-12 22:58 -------- d-----w- c:\program files\TrendMicro

2010-02-12 20:59 . 2010-02-12 20:59 -------- d-----w- c:\program files\ESET

2010-02-11 00:10 . 2010-02-11 00:10 -------- d-----w- c:\program files\CCleaner

2010-02-03 21:04 . 2010-02-03 21:04 -------- d-----w- c:\program files\Combined Community Codec Pack

2010-02-03 20:41 . 1998-04-30 22:56 129024 ----a-w- c:\windows\UNWISE.EXE

2010-02-02 03:24 . 2010-02-02 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-02 02:50 . 2010-02-02 05:03 120 ----a-w- c:\windows\Vbiko.dat

2010-02-02 02:50 . 2010-02-02 02:50 0 ----a-w- c:\windows\Icucoma.bin

2010-02-01 08:27 . 2010-02-01 08:27 -------- d-----w- c:\program files\DirectVobSub

2010-02-01 07:34 . 2010-02-01 07:40 -------- d-----w- c:\windows\system32\drivers\mycodec

2010-02-01 07:34 . 2010-02-01 07:44 -------- d-----w- c:\program files\MyVideoConverter

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 22:43 . 2009-11-23 23:33 79488 ----a-w- c:\documents and settings\Username\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-12 18:36 . 2009-06-13 06:38 -------- d-----w- c:\program files\Runes of Magic

2010-02-11 04:05 . 2009-03-27 04:17 -------- d-----w- c:\documents and settings\Username\Application Data\uTorrent

2010-02-11 00:12 . 2009-06-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-08 07:15 . 2008-11-10 04:22 15434 ----a-w- c:\documents and settings\Username\Application Data\wklnhst.dat

2010-02-03 07:21 . 2009-12-07 09:41 234912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-02 06:09 . 2009-06-30 06:18 -------- d-----w- c:\program files\Cheat Engine

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-02 03:54 . 2006-11-16 00:42 246784 ----a-w- c:\windows\system32\drivers\iastor.sys

2010-02-02 03:23 . 2010-02-02 03:23 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2010-01-17 02:23 . 2008-07-22 07:15 -------- d-----w- c:\program files\DivX

2010-01-15 22:34 . 2010-01-15 22:16 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-01-15 22:21 . 2010-01-15 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-14 06:14 . 2009-06-18 20:04 -------- d-----w- c:\program files\AIMTunes

2010-01-11 07:07 . 2009-11-05 03:14 -------- d-----w- c:\documents and settings\Username\Application Data\Skype

2010-01-11 07:07 . 2009-11-05 03:19 -------- d-----w- c:\documents and settings\Username\Application Data\skypePM

2010-01-08 00:07 . 2010-01-15 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2010-01-15 22:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-04 02:51 . 2010-01-04 02:34 -------- d-----w- c:\program files\Audacity

2010-01-04 01:53 . 2008-07-14 04:46 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\mobile PhoneTools\faxres.cmd

2010-01-02 10:49 . 2009-12-08 19:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-31 16:14 . 2004-08-10 18:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 02:40 . 2008-11-01 22:37 39 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences.dat

2009-12-24 02:38 . 2009-09-20 22:35 69 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences2.dat

2009-12-22 05:35 . 2004-08-10 18:51 668672 ------w- c:\windows\system32\wininet.dll

2009-12-22 05:35 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 18:11 . 2004-08-10 18:51 2142720 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2004-08-04 04:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 14:41 . 2006-11-16 00:41 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:33 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-21 16:36 . 2004-08-10 18:50 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 12:51 . 2009-11-20 12:51 98304 ----a-w- c:\windows\system32\DirShowEXDD.dll

2008-09-22 02:56 . 2007-09-25 04:16 88 --sh--r- c:\windows\system32\F76360A42E.sys

2008-09-22 02:56 . 2007-09-25 04:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_20.49.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-14 23:02 . 2010-02-14 23:02 16384 c:\windows\Temp\Perflib_Perfdata_700.dat

+ 2004-08-10 19:01 . 2004-08-04 11:00 295424 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-16 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-16 169984]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Username\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

CurseClientStartup.ccip [2009-12-7 0]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office 97\Office\FINDFAST.EXE [1996-12-8 111376]

Office Startup.lnk - c:\program files\Microsoft Office 97\Office\OSA.EXE [1996-12-8 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike\\hl.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero deleted scenes\\hl.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\steam.exe"=

"c:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=

"c:\\Program Files\\Nexon\\MaplestoryV60\\ChickenMS_v60_NO-DC.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Username\\Desktop\\New Folder\\utorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Username\\Local Settings\\Apps\\2.0\\Q9YJLAAL.DW1\\OKO8EB2G.PJK\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21216:TCP"= 21216:TCP:BitComet 21216 TCP

"21216:UDP"= 21216:UDP:BitComet 21216 UDP

"10211:TCP"= 10211:TCP:BitComet 10211 TCP

"10211:UDP"= 10211:UDP:BitComet 10211 UDP

"58295:TCP"= 58295:TCP:Pando Media Booster

"58295:UDP"= 58295:UDP:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/12/2008 3:28 PM 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2008 3:28 PM 20560]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/20/2007 8:07 PM 24652]

S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = www.msn.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-14 15:08

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-02-14 15:10:11

ComboFix-quarantined-files.txt 2010-02-14 23:10

ComboFix2.txt 2010-02-14 20:51

Pre-Run: 79,021,682,688 bytes free

Post-Run: 78,987,436,032 bytes free

- - End Of File - - 8A058A0EB7DDE760F5D78533F8A9F9C1

Link to post
Share on other sites

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, February 15, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, February 15, 2010 20:19:58

Records in database: 3506786

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 96640

Threats found: 4

Infected objects found: 11

Suspicious objects found: 0

Scan duration: 02:52:23

File name / Threat / Threats count

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33C355DB.zip Infected: Exploit.Java.ByteVerify 2

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33C355DB.zip Infected: Trojan-Downloader.Java.OpenConnection.aa 1

C:\Nexon\MapleStory v75\HypnoticStory.exe Infected: Trojan-GameThief.Win32.OnLineGames.wbxl 1

C:\Nexon\MapleStory v75\MapleTales.exe Infected: Trojan-GameThief.Win32.OnLineGames.wbxl 1

C:\Nexon\MapleStory v75\VibrantMS.exe Infected: Trojan-GameThief.Win32.OnLineGames.wbxl 1

C:\Nexon\MapleStory v75\YCMS.exe Infected: Trojan-GameThief.Win32.OnLineGames.wbxl 1

C:\Program Files\Nexon\MaplestoryV60\AdeptMaple.exe Infected: Trojan-GameThief.Win32.OnLineGames.wadc 1

C:\Program Files\Nexon\MaplestoryV60\ChickenMS_v60_NO-DC.exe Infected: Trojan-GameThief.Win32.OnLineGames.wadc 1

C:\Program Files\Nexon\MaplestoryV60\LeafMS-Alpha v.2.exe Infected: Trojan-GameThief.Win32.OnLineGames.wadc 1

C:\Program Files\Nexon\MaplestoryV60\WingedMS.exe Infected: Trojan-GameThief.Win32.OnLineGames.wadc 1

Selected area has been scanned.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33C355DB.zip
C:\Nexon\MapleStory v75\HypnoticStory.exe
C:\Nexon\MapleStory v75\MapleTales.exe
C:\Nexon\MapleStory v75\VibrantMS.exe
C:\Nexon\MapleStory v75\YCMS.exe
C:\Program Files\Nexon\MaplestoryV60\AdeptMaple.exe
C:\Program Files\Nexon\MaplestoryV60\ChickenMS_v60_NO-DC.exe
C:\Program Files\Nexon\MaplestoryV60\LeafMS-Alpha v.2.exe
C:\Program Files\Nexon\MaplestoryV60\WingedMS.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

After that let me know how it is running?

Link to post
Share on other sites

Everything seems to be going well. I haven't had a redirect yet, so I think the problem is cleared up. Thanks!

ComboFix 10-02-12.01 - 02/15/2010 17:51:55.7.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.673 [GMT -8:00]

Running from: c:\documents and settings\Username\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Username\Desktop\CFScript.txt

AV: avast! antivirus 4.8.1229 [VPS 081010-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33C355DB.zip"

"c:\nexon\MapleStory v75\HypnoticStory.exe"

"c:\nexon\MapleStory v75\MapleTales.exe"

"c:\nexon\MapleStory v75\VibrantMS.exe"

"c:\nexon\MapleStory v75\YCMS.exe"

"c:\program files\Nexon\MaplestoryV60\AdeptMaple.exe"

"c:\program files\Nexon\MaplestoryV60\ChickenMS_v60_NO-DC.exe"

"c:\program files\Nexon\MaplestoryV60\LeafMS-Alpha v.2.exe"

"c:\program files\Nexon\MaplestoryV60\WingedMS.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\nexon\MapleStory v75\HypnoticStory.exe

c:\nexon\MapleStory v75\MapleTales.exe

c:\nexon\MapleStory v75\VibrantMS.exe

c:\nexon\MapleStory v75\YCMS.exe

c:\program files\Nexon\MaplestoryV60\AdeptMaple.exe

c:\program files\Nexon\MaplestoryV60\ChickenMS_v60_NO-DC.exe

c:\program files\Nexon\MaplestoryV60\LeafMS-Alpha v.2.exe

c:\program files\Nexon\MaplestoryV60\WingedMS.exe

.

((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))

.

2010-02-12 22:58 . 2010-02-12 22:58 388096 ----a-r- c:\documents and settings\Username\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-12 22:58 . 2010-02-12 22:58 -------- d-----w- c:\program files\TrendMicro

2010-02-12 20:59 . 2010-02-12 20:59 -------- d-----w- c:\program files\ESET

2010-02-11 00:10 . 2010-02-11 00:10 -------- d-----w- c:\program files\CCleaner

2010-02-03 21:04 . 2010-02-03 21:04 -------- d-----w- c:\program files\Combined Community Codec Pack

2010-02-03 20:41 . 1998-04-30 22:56 129024 ----a-w- c:\windows\UNWISE.EXE

2010-02-02 03:24 . 2010-02-02 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-02-02 02:50 . 2010-02-02 05:03 120 ----a-w- c:\windows\Vbiko.dat

2010-02-02 02:50 . 2010-02-02 02:50 0 ----a-w- c:\windows\Icucoma.bin

2010-02-01 08:27 . 2010-02-01 08:27 -------- d-----w- c:\program files\DirectVobSub

2010-02-01 07:34 . 2010-02-01 07:40 -------- d-----w- c:\windows\system32\drivers\mycodec

2010-02-01 07:34 . 2010-02-01 07:44 -------- d-----w- c:\program files\MyVideoConverter

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-14 22:43 . 2009-11-23 23:33 79488 ----a-w- c:\documents and settings\Username\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-12 18:36 . 2009-06-13 06:38 -------- d-----w- c:\program files\Runes of Magic

2010-02-11 04:05 . 2009-03-27 04:17 -------- d-----w- c:\documents and settings\Username\Application Data\uTorrent

2010-02-11 00:12 . 2009-06-06 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-08 07:15 . 2008-11-10 04:22 15434 ----a-w- c:\documents and settings\Username\Application Data\wklnhst.dat

2010-02-03 07:21 . 2009-12-07 09:41 234912 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-02 06:09 . 2009-06-30 06:18 -------- d-----w- c:\program files\Cheat Engine

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-02 05:35 . 2006-11-16 01:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-02 03:54 . 2006-11-16 00:42 246784 ----a-w- c:\windows\system32\drivers\iastor.sys

2010-02-02 03:23 . 2010-02-02 03:23 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2010-01-17 02:23 . 2008-07-22 07:15 -------- d-----w- c:\program files\DivX

2010-01-15 22:34 . 2010-01-15 22:16 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-01-15 22:21 . 2010-01-15 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-14 06:14 . 2009-06-18 20:04 -------- d-----w- c:\program files\AIMTunes

2010-01-11 07:07 . 2009-11-05 03:14 -------- d-----w- c:\documents and settings\Username\Application Data\Skype

2010-01-11 07:07 . 2009-11-05 03:19 -------- d-----w- c:\documents and settings\Username\Application Data\skypePM

2010-01-08 00:07 . 2010-01-15 22:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07 . 2010-01-15 22:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-04 02:51 . 2010-01-04 02:34 -------- d-----w- c:\program files\Audacity

2010-01-04 01:53 . 2008-07-14 04:46 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\mobile PhoneTools\faxres.cmd

2010-01-02 10:49 . 2009-12-08 19:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-12-31 16:14 . 2004-08-10 18:51 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 02:40 . 2008-11-01 22:37 39 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences.dat

2009-12-24 02:38 . 2009-09-20 22:35 69 ----a-w- c:\documents and settings\Username\jagex_runescape_preferences2.dat

2009-12-22 05:35 . 2004-08-10 18:51 668672 ------w- c:\windows\system32\wininet.dll

2009-12-22 05:35 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 18:11 . 2004-08-10 18:51 2142720 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:35 . 2004-08-04 04:59 2020864 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 14:41 . 2006-11-16 00:41 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:33 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:33 . 2004-08-04 06:56 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:37 . 2004-08-10 18:51 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37 . 2004-08-10 18:51 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37 . 2004-08-10 18:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37 . 2004-08-04 06:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37 . 2001-08-18 04:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-21 16:36 . 2004-08-10 18:50 470528 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-20 12:51 . 2009-11-20 12:51 98304 ----a-w- c:\windows\system32\DirShowEXDD.dll

2008-09-22 02:56 . 2007-09-25 04:16 88 --sh--r- c:\windows\system32\F76360A42E.sys

2008-09-22 02:56 . 2007-09-25 04:16 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-02-14_20.49.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-15 19:35 . 2010-02-15 19:35 16384 c:\windows\Temp\Perflib_Perfdata_6c0.dat

+ 2004-08-10 19:01 . 2004-08-04 11:00 295424 c:\windows\system32\termsrv.dll

- 2004-08-10 19:01 . 2008-09-13 22:16 295424 c:\windows\system32\termsrv.dll

+ 2004-08-10 19:01 . 2004-08-04 11:00 295424 c:\windows\system32\dllcache\termsrv.dll

- 2008-08-22 20:12 . 2008-04-14 00:12 295424 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-16 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-16 169984]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Username\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

CurseClientStartup.ccip [2009-12-7 0]

Microsoft Find Fast.lnk - c:\program files\Microsoft Office 97\Office\FINDFAST.EXE [1996-12-8 111376]

Office Startup.lnk - c:\program files\Microsoft Office 97\Office\OSA.EXE [1996-12-8 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike\\hl.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero\\hl.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\condition zero deleted scenes\\hl.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Valve\\Steam\\steam.exe"=

"c:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Username\\Desktop\\New Folder\\utorrent.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\passdapeacepipe\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Username\\Local Settings\\Apps\\2.0\\Q9YJLAAL.DW1\\OKO8EB2G.PJK\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21216:TCP"= 21216:TCP:BitComet 21216 TCP

"21216:UDP"= 21216:UDP:BitComet 21216 UDP

"10211:TCP"= 10211:TCP:BitComet 10211 TCP

"10211:UDP"= 10211:UDP:BitComet 10211 UDP

"58295:TCP"= 58295:TCP:Pando Media Booster

"58295:UDP"= 58295:UDP:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/12/2008 3:28 PM 78416]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2008 3:28 PM 20560]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/20/2007 8:07 PM 24652]

S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = www.msn.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Username\Application Data\Mozilla\Firefox\Profiles\ej2moeq2.default\

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-15 17:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-02-15 17:57:19

ComboFix-quarantined-files.txt 2010-02-16 01:57

ComboFix2.txt 2010-02-14 23:10

ComboFix3.txt 2010-02-14 20:51

Pre-Run: 78,854,238,208 bytes free

Post-Run: 78,822,531,072 bytes free

- - End Of File - - 1A6543DF3545956A1FCF870B89410775

Link to post
Share on other sites

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.