Author Topic: Google being hijacked (Read 1996 times)

barrel05 · « **on:** November 18, 2010, 02:54:01 AM »

When ever i click on a google searched link it redirects me to anti-virus sights

barrel05 · « **Reply #1 on:** November 18, 2010, 06:53:14 AM »

I beleive i have rootkit virus any help would be appreciated

guestolo · « **Reply #2 on:** November 18, 2010, 10:24:24 AM »

Download [color="#FF0000"]OTL.exe[/color][/url] by OldTimer to your Desktop.

Close all windows and double click on OTL.exe to run it
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.

barrel05 · « **Reply #3 on:** November 18, 2010, 07:05:49 PM »

OTL
OTL logfile created on: 19/11/2010 10:41:00 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

766.00 Mb Total Physical Memory | 442.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1000 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 8.11 Gb Free Space | 43.51% Space Free | Partition Type: NTFS
Drive D: | 6.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 372.61 Gb Total Space | 19.78 Gb Free Space | 5.31% Space Free | Partition Type: NTFS
Drive F: | 1396.92 Gb Total Space | 1358.05 Gb Free Space | 97.22% Space Free | Partition Type: FAT32

Computer Name: ANONYMOUS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/19 10:38:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/09/29 18:46:08 | 000,196,944 | ---- | M] (Totem Entertainment) -- C:\Program Files\vghd\VirtuaGirl_Downloader.exe
PRC - [2010/09/29 18:46:07 | 000,600,904 | ---- | M] (Totem Entertainment) -- C:\Program Files\vghd\vghd.exe
PRC - [2010/09/08 01:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/08 01:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/10/19 19:25:41 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/10/01 12:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/04/16 04:31:54 | 001,675,264 | ---- | M] (D-Link) -- C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
PRC - [2007/05/16 08:55:46 | 001,628,208 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/05/16 08:55:46 | 001,550,896 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2007/05/16 08:55:26 | 001,057,328 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe
PRC - [2007/01/20 04:49:04 | 000,049,152 | ---- | M] (Wireless Service) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2005/04/28 07:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2003/10/31 19:42:40 | 000,032,768 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
PRC - [2002/03/20 10:30:00 | 000,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe

========== Modules (SafeList) ==========

MOD - [2010/11/19 10:38:48 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/24 03:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\wscsvc.dll -- (wscsvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2010/09/08 01:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/08 01:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/08 01:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/05/16 08:55:46 | 001,550,896 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2007/01/20 04:49:26 | 000,049,152 | ---- | M] (Wireless Service) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)
SRV - [2005/04/28 07:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\1E.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/09/08 00:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/08 00:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/08 00:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/08 00:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/08 00:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/08 00:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/10/19 19:29:36 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2008/02/28 05:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2008/01/16 14:50:52 | 000,459,520 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dr71WU.sys -- (RT73)
DRV - [2007/05/16 08:55:36 | 000,118,576 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2007/05/16 08:55:36 | 000,038,576 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/05/16 08:55:36 | 000,037,040 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/05/13 09:39:32 | 000,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2003/12/05 21:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/07/16 14:58:30 | 000,013,056 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdrbsvsd.sys -- (cdrbsvsd)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FA 0E 3E 43 0D 87 CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "midica Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2794175&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "midica Customized Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.8
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.15
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.19
FF - prefs.js..extensions.enabledItems: {8F6A6FD9-0619-459f-B9D0-81DE065D4E21}:1.9.2
FF - prefs.js..extensions.enabledItems: [email protected]:3.6.5.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.5
FF - prefs.js..extensions.enabledItems: [email protected]:2.5
FF - prefs.js..extensions.enabledItems: {afe43e80-0abc-4df2-81a0-3fe44b74abe8}:1.300.306
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://ws.infospace.com/coolchaser_game/ws/redir?_iceUrl=true&user_id=35025395&tool_id=60531&qkw="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/26 12:50:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/16 09:58:54 | 000,000,000 | ---D | M]

[2011/03/05 15:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/11/19 00:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions
[2011/03/08 13:15:25 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2011/03/08 13:05:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/30 13:58:56 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/04/07 15:37:20 | 000,000,000 | ---D | M] (View Cookies) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{8F6A6FD9-0619-459f-B9D0-81DE065D4E21}
[2010/05/31 17:25:53 | 000,000,000 | ---D | M] (Gamers Unite! Snag Bar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
[2011/03/08 14:30:00 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2011/03/08 13:15:26 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/03/08 13:15:25 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/08 13:15:28 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2011/03/08 13:15:26 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/05/20 13:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\[email protected]
[2010/04/07 15:37:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\[email protected]
[2010/05/20 13:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\[email protected]
[2011/03/08 15:10:14 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\searchplugins\bing.xml
[2010/10/23 11:26:06 | 000,000,915 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\searchplugins\conduit.xml
[2010/05/31 17:27:03 | 000,001,751 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\searchplugins\search-the-web.xml
[2010/11/06 13:50:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/06 12:30:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/11 16:56:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/06 11:31:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/02/21 21:22:32 | 000,712,704 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/18 20:28:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll (BitComet)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyn1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [D-Link D-Link Wireless G DWA-110] C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe (Totem Entertainment)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 18
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.27.dll (BitComet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/12/09 17:41:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/03/21 12:00:56 | 000,000,000 | R--D | M] - F:\AUTORUN -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/08 15:22:15 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/03/08 15:22:15 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/03/08 15:22:14 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/03/08 15:22:12 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/03/08 15:22:11 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/03/08 15:22:11 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/03/08 15:22:10 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/03/08 15:21:52 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/03/08 15:09:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/03/08 14:56:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Tracing
[2011/03/08 14:43:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DirectX
[2011/03/08 14:42:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/03/08 14:40:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2011/03/08 14:39:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2011/03/08 14:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2011/03/08 14:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2011/03/08 14:30:12 | 000,000,000 | ---D | C] -- C:\Downloads
[2011/03/08 14:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\BitComet
[2011/03/08 14:29:52 | 000,000,000 | ---D | C] -- C:\Program Files\BitComet
[2011/03/08 14:16:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2011/03/08 13:42:12 | 000,146,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\portcls.sys
[2011/03/08 13:42:12 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksproxy.ax
[2011/03/08 13:42:12 | 000,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmk.sys
[2011/03/08 13:42:12 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksuser.dll
[2011/03/08 13:42:06 | 000,720,896 | ---- | C] (Sensaura Ltd) -- C:\WINDOWS\System32\a3d.dll
[2011/03/08 13:42:06 | 000,045,056 | ---- | C] (adi) -- C:\WINDOWS\System32\CleanUp.exe
[2011/03/08 13:42:06 | 000,036,864 | ---- | C] (Analog Devices Inc.) -- C:\WINDOWS\System32\DSndUp.exe
[2011/03/08 13:42:06 | 000,003,744 | ---- | C] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smsens.sys
[2011/03/08 13:42:06 | 000,000,000 | ---D | C] -- C:\Program Files\Analog Devices
[2011/03/08 13:39:43 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2011/03/08 13:39:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/03/08 13:31:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\BloodBowl
[2011/03/08 13:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2011/03/08 13:06:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2011/03/05 15:43:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead
[2011/03/05 15:38:09 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2011/03/05 15:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2011/03/05 15:38:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead
[2011/03/05 15:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
[2011/03/05 15:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2011/03/05 15:34:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/03/05 15:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/05 15:22:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2011/03/05 15:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2011/03/05 15:14:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2011/03/05 15:11:05 | 001,327,189 | ---- | C] (Funk Software, Inc.) -- C:\WINDOWS\System32\odSupp_M.dll
[2011/03/05 15:11:05 | 000,692,224 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\ANIWZCS2.dll
[2011/03/05 15:11:05 | 000,262,144 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\wnicapi.dll
[2011/03/05 15:11:05 | 000,217,088 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\aIPH.dll
[2011/03/05 15:11:05 | 000,049,152 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\AQCKGen.dll
[2011/03/05 15:11:05 | 000,045,115 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANICtl.dll
[2011/03/05 15:10:52 | 000,048,128 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO64.sys
[2011/03/05 15:10:52 | 000,036,864 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIOApi.dll
[2011/03/05 15:10:52 | 000,028,195 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO.sys
[2011/03/05 15:10:52 | 000,011,904 | ---- | C] (ANI ) -- C:\WINDOWS\System32\anio4.sys
[2011/03/05 15:10:51 | 000,000,000 | ---D | C] -- C:\Program Files\ANI
[2011/03/05 15:10:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2011/03/05 15:09:59 | 000,459,520 | ---- | C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\drivers\Dr71WU.sys
[2011/03/05 15:09:58 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2011/03/05 15:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\D-Link
[2011/03/05 15:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\InstallShield
[2011/03/05 14:32:50 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/03/05 14:31:05 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2011/03/05 14:30:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2011/03/05 14:29:52 | 002,273,280 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmgicd.dll
[2011/03/05 14:29:52 | 000,880,640 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxress.dll
[2011/03/05 14:29:52 | 000,739,387 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmdd5.dll
[2011/03/05 14:29:52 | 000,471,040 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmgdev.dll
[2011/03/05 14:29:52 | 000,462,848 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxcfg.exe
[2011/03/05 14:29:52 | 000,339,968 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxsrvc.dll
[2011/03/05 14:29:52 | 000,225,280 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxpph.dll
[2011/03/05 14:29:52 | 000,221,184 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxeud.dll
[2011/03/05 14:29:52 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrptb.lrc
[2011/03/05 14:29:52 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrita.lrc
[2011/03/05 14:29:52 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrfra.lrc
[2011/03/05 14:29:52 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxresp.lrc
[2011/03/05 14:29:52 | 000,159,744 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrtha.lrc
[2011/03/05 14:29:52 | 000,159,744 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrdeu.lrc
[2011/03/05 14:29:52 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrkor.lrc
[2011/03/05 14:29:52 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrjpn.lrc
[2011/03/05 14:29:52 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrenu.lrc
[2011/03/05 14:29:52 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrcht.lrc
[2011/03/05 14:29:52 | 000,155,648 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxrchs.lrc
[2011/03/05 14:29:52 | 000,151,552 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxdiag.exe
[2011/03/05 14:29:52 | 000,143,360 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxdev.dll
[2011/03/05 14:29:52 | 000,126,976 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxhk.dll
[2011/03/05 14:29:52 | 000,126,651 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmdev5.dll
[2011/03/05 14:29:52 | 000,118,784 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\hccutils.dll
[2011/03/05 14:29:52 | 000,103,484 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmdnt5.dll
[2011/03/05 14:29:52 | 000,094,208 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxext.exe
[2011/03/05 14:29:52 | 000,094,208 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxcpl.cpl
[2011/03/05 14:29:52 | 000,090,112 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxzoom.exe
[2011/03/05 14:29:52 | 000,086,016 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxdo.dll
[2011/03/05 14:29:52 | 000,061,440 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\iAlmCoIn_v3762.dll
[2011/03/05 14:29:52 | 000,049,152 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmrem.dll
[2011/03/05 14:29:52 | 000,045,056 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxdgps.dll
[2011/03/05 14:29:52 | 000,036,415 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\ialmrnt5.dll
[2011/03/05 14:29:52 | 000,032,768 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxexps.dll
[2011/03/05 14:29:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Drivers
[2011/03/05 14:29:43 | 000,000,000 | ---D | C] -- C:\dell
[2011/03/05 14:29:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2011/03/05 14:27:30 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
[2010/12/09 18:02:38 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
[2010/12/09 17:59:29 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/12/09 17:59:22 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/12/09 17:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Foxit
[2010/12/09 17:59:08 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/12/09 17:58:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/12/09 17:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\UPHClean
[2010/12/09 17:57:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Sun
[2010/12/09 17:52:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/12/09 17:52:47 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/12/09 17:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/12/09 17:52:10 | 000,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/12/09 17:47:59 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2010/12/09 17:47:57 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2010/12/09 17:47:16 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2010/12/09 17:47:14 | 000,589,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2010/12/09 17:44:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Pictures
[2010/12/09 17:44:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Music
[2010/12/09 17:44:48 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/12/09 17:44:02 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft
[2010/12/09 17:44:02 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2010/12/09 17:44:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\SendTo
[2010/12/09 17:44:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Application Data
[2010/12/09 17:44:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu
[2010/12/09 17:44:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents
[2010/12/09 17:44:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Favorites
[2010/12/09 17:44:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/12/09 17:44:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\Cookies
[2010/12/09 17:44:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Templates
[2010/12/09 17:44:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\PrintHood
[2010/12/09 17:44:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\NetHood
[2010/12/09 17:44:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Local Settings
[2010/12/09 17:44:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop
[2010/12/09 17:43:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/12/09 17:43:51 | 000,000,000 | --SD | C] -- C:\WINDOWS\System32\Microsoft
[2010/12/09 17:43:44 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/12/09 17:43:44 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/12/09 17:43:40 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/12/09 17:43:39 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/12/09 17:41:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/12/09 17:41:00 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mapi32.dll
[2010/12/09 17:40:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache
[2010/12/09 17:39:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\DRM
[2010/12/09 17:39:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2010/12/09 17:39:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2010/12/09 17:39:11 | 000,000,000 | -H-D | C] -- C:\Program Files\WindowsUpdate
[2010/12/09 17:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2010/12/09 17:38:21 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\atrace.dll
[2010/12/09 17:38:14 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icfgnt5.dll
[2010/12/09 17:38:14 | 000,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2010/12/09 17:38:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2010/12/09 17:38:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2010/12/09 17:37:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Macromed
[2010/12/09 17:37:55 | 000,327,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2010/12/09 17:37:54 | 000,194,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng1.dll
[2010/12/09 17:37:53 | 000,172,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt1.exe
[2010/12/09 17:37:53 | 000,035,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2010/12/09 17:37:52 | 000,575,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2010/12/09 17:37:52 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgrprxy.dll
[2010/12/09 17:37:52 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx2.dll
[2010/12/09 17:37:52 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2010/12/09 17:37:52 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx3.dll
[2010/12/09 17:37:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/12/09 17:37:50 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrslv.dll
[2010/12/09 17:37:50 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrcdlg.dll
[2010/12/09 17:37:50 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\racpldlg.dll
[2010/12/09 17:37:50 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrdm.dll
[2010/12/09 17:37:43 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltMc.exe
[2010/12/09 17:37:42 | 000,239,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srrstr.dll
[2010/12/09 17:37:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Restore
[2010/12/09 17:37:40 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwdial.dll
[2010/12/09 17:37:40 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwphbk.dll
[2010/12/09 17:37:40 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstinit.exe
[2010/12/09 17:37:39 | 000,274,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcfg.dll
[2010/12/09 17:37:39 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2010/12/09 17:37:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\System
[2010/12/09 17:37:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/12/09 17:36:44 | 000,000,000 | ---D | C] -- C:\Program Files\ComPlus Applications
[2010/12/09 17:36:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Registration
[2010/12/09 17:35:16 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2010/12/09 17:35:14 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2010/12/09 17:35:03 | 000,115,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2010/12/09 17:35:02 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2010/12/09 17:34:53 | 000,581,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winUsbCoinstaller.dll
[2010/12/09 17:34:51 | 001,112,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WdfCoInstaller01007.dll
[2010/12/09 17:34:50 | 001,302,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WUDFUpdate_01007.dll
[2010/12/09 17:34:50 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\UMDF\wudfusbcciddriver.dll
[2010/12/09 17:34:49 | 000,922,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2fs.dll
[2010/12/09 17:34:48 | 000,426,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi2.dll
[2010/12/09 17:34:47 | 000,358,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RmActivate_ssp.exe
[2010/12/09 17:34:47 | 000,354,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RmActivate_ssp_isv.exe
[2010/12/09 17:34:47 | 000,192,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SecProc_ssp_isv.dll
[2010/12/09 17:34:47 | 000,192,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SecProc_ssp.dll
[2010/12/09 17:34:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRM
[2010/12/09 17:34:46 | 000,531,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RmActivate_isv.exe
[2010/12/09 17:34:45 | 000,523,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\RmActivate.exe
[2010/12/09 17:34:45 | 000,519,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SecProc_isv.dll
[2010/12/09 17:34:44 | 000,518,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SecProc.dll
[2010/12/09 17:34:44 | 000,323,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdrm.dll
[2010/12/09 17:34:43 | 000,088,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4r.dll
[2010/12/09 17:34:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2010/12/09 17:34:30 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2010/12/09 17:34:30 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2010/12/09 17:34:30 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2010/12/09 17:34:30 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2010/12/09 17:34:29 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2010/12/09 17:34:29 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2010/12/09 17:34:28 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2010/12/09 17:34:28 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2010/12/09 17:34:27 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2010/12/09 17:34:27 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2010/12/09 17:34:27 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2010/12/09 17:34:27 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2010/12/09 17:34:27 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2010/12/09 17:34:26 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2010/12/09 17:34:26 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2010/12/09 17:34:26 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2010/12/09 17:34:26 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2010/12/09 17:34:26 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2010/12/09 17:34:25 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2010/12/09 17:34:25 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2010/12/09 17:34:25 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2010/12/09 17:34:25 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2010/12/09 17:34:25 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2010/12/09 17:34:25 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2010/12/09 17:34:25 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2010/12/09 17:34:24 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2010/12/09 17:34:24 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2010/12/09 17:34:24 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2010/12/09 17:34:24 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2010/12/09 17:34:24 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2010/12/09 17:34:23 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2010/12/09 17:34:23 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2010/12/09 17:34:23 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2010/12/09 17:34:23 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2010/12/09 17:34:23 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2010/12/09 17:34:23 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2010/12/09 17:34:23 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2010/12/09 17:34:23 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2010/12/09 17:34:22 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/12/09 17:34:20 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2010/12/09 17:34:19 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2010/12/09 17:34:17 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2010/12/09 17:34:16 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2010/12/09 17:34:14 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2010/12/09 17:34:13 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/12/09 17:34:11 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2010/12/09 17:34:10 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2010/12/09 17:34:08 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2010/12/09 17:34:07 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2010/12/09 17:34:06 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2010/12/09 17:34:05 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2010/12/09 17:34:04 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2010/12/09 17:34:03 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2010/12/09 17:34:02 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2010/12/09 17:34:01 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2010/12/09 17:34:00 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2010/12/09 17:33:59 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2010/12/09 17:33:59 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2010/12/09 17:33:58 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2010/12/09 17:33:58 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2010/12/09 17:33:58 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2010/12/09 17:33:57 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2010/12/09 17:33:57 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2010/12/09 17:33:57 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2010/12/09 17:33:57 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2010/12/09 17:33:56 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2010/12/09 17:33:56 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2010/12/09 17:33:56 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2010/12/09 17:33:53 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2010/12/09 17:33:52 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2010/12/09 17:33:51 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2010/12/09 17:33:50 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2010/12/09 17:33:49 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2010/12/09 17:33:49 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2010/12/09 17:33:48 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2010/12/09 17:33:47 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2010/12/09 17:33:47 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2010/12/09 17:33:46 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2010/12/09 17:33:45 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2010/12/09 17:33:30 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/12/09 17:33:30 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/12/09 17:33:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/12/09 17:33:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/12/09 17:33:29 | 000,142,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MicrosoftUpdateCatalogWebControl.dll
[2010/12/09 17:33:28 | 000,934,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WgaTray.exe.bak
[2010/12/09 17:33:28 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WgaTray.exe
[2010/12/09 17:33:28 | 000,026,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe
[2010/12/09 17:33:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2010/12/09 17:33:08 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Explorer
[2010/12/09 17:32:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2010/12/09 17:32:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\write.exe
[2010/12/09 17:32:42 | 000,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe
[2010/12/09 17:32:34 | 000,605,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\getuname.dll
[2010/12/09 17:32:34 | 000,114,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\calc.exe
[2010/12/09 17:32:34 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\charmap.exe
[2010/12/09 17:32:33 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsshutdn.exe
[2010/12/09 17:32:33 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tskill.exe
[2010/12/09 17:32:33 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsdiscon.exe
[2010/12/09 17:32:33 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscon.exe
[2010/12/09 17:32:33 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\reset.exe
[2010/12/09 17:32:32 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regini.exe
[2010/12/09 17:32:32 | 000,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qwinsta.exe
[2010/12/09 17:32:32 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msg.exe
[2010/12/09 17:32:32 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qappsrv.exe
[2010/12/09 17:32:32 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwinsta.exe
[2010/12/09 17:32:32 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\logoff.exe
[2010/12/09 17:32:32 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shadow.exe
[2010/12/09 17:32:32 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcfgex.dll
[2010/12/09 17:32:31 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cdmodem.dll
[2010/12/09 17:32:23 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2010/12/09 17:32:23 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2010/12/09 17:32:23 | 000,000,000 | ---D | C] -- C:\Program Files\Windows NT
[2010/12/09 17:32:22 | 000,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2010/12/09 17:32:22 | 000,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2010/12/09 17:32:21 | 000,093,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscfgwmi.dll
[2010/12/09 17:32:21 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2010/12/09 17:32:20 | 000,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2010/12/09 17:32:20 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2010/12/09 17:32:18 | 000,147,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdchost.dll
[2010/12/09 17:32:18 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdshost.exe
[2010/12/09 17:32:18 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdsaddin.exe
[2010/12/09 17:32:17 | 000,087,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2010/12/09 17:32:17 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
[2010/12/09 17:32:17 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpsnd.dll
[2010/12/09 17:32:17 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qprocess.exe
[2010/12/09 17:32:17 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2010/12/09 17:32:16 | 000,428,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2010/12/09 17:32:16 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcuiu.dll
[2010/12/09 17:32:16 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2010/12/09 17:32:16 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfgbkend.dll
[2010/12/09 17:32:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MsDtc
[2010/12/09 17:32:15 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2010/12/09 17:32:15 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2010/12/09 17:32:15 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2010/12/09 17:32:13 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comrepl.dll
[2010/12/09 17:32:13 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\colbact.dll
[2010/12/09 17:32:13 | 000,034,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxlegih.dll
[2010/12/09 17:32:13 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxdm.dll
[2010/12/09 17:32:13 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comaddin.dll
[2010/12/09 17:32:13 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dcomcnfg.exe
[2010/12/09 17:32:13 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxex.dll
[2010/12/09 17:32:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Com
[2010/12/09 17:32:12 | 000,625,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvut.dll
[2010/12/09 17:32:12 | 000,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrv.dll
[2010/12/09 17:32:12 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatex.dll
[2010/12/09 17:32:12 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvps.dll
[2010/12/09 17:32:12 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stclient.dll
[2010/12/09 17:32:11 | 001,267,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2010/12/09 17:32:10 | 000,539,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comuid.dll
[2010/12/09 17:32:10 | 000,167,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsnap.dll
[2010/12/09 17:32:00 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\servdeps.dll
[2010/12/09 17:32:0

guestolo · « **Reply #4 on:** November 18, 2010, 07:15:29 PM »

You may or may not of intentionally installed this bit of software
DeskBabes

If you didn't, can you uninstall it from Add and Remove Programs please

Next:
Please download TFC by Old Timer and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately.

Back in Windows
Open Malwarebytes Antimalware
.

Open the UPDATE tab and "Check for Updates"
If an update is found, it will download and install the latest version.
After updating, Click the SCANNER tab select "Perform Quick Scan", then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

barrel05 · « **Reply #5 on:** November 18, 2010, 07:40:49 PM »

I have run tfc but when when i click reboot the pc freezes during shutdown and will not shutdown. I've tried twice now and each time i have to turn the power off to reboot

guestolo · « **Reply #6 on:** November 18, 2010, 07:41:58 PM »

Please just carry on with Malwarebytes Anti-Malware

barrel05 · « **Reply #7 on:** November 18, 2010, 08:21:47 PM »

No threats were found
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5132

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/11/2010 12:18:20 PM
mbam-log-2010-11-19 (12-18-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 155535
Time elapsed: 36 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

guestolo · « **Reply #8 on:** November 18, 2010, 08:35:36 PM »

If you happen to have an older version of ComboFix
Delete it, you need to have this updated version

Download ComboFix from the following location

[color="#0000FF"]Link 1[/color]
Save it ONLY to your Desktop

--------------------------------------------------------------------
[color="#2E8B57"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
Right click on the Avast icon by the clock and disable your protections
Select Permanently disabled, after ComboFix has completely ran, you can reenable the protections

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color="#2e8b57"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

barrel05 · « **Reply #9 on:** November 18, 2010, 10:22:42 PM »

A rootkit was detected upon start of combofix

ComboFix 10-11-18.03 - Owner 19/11/2010 14:07:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.766.547 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\scgdfgasfbh.bat

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2011-03-08 03:30 . 2010-07-27 03:48   --------   d-----w-   C:\Downloads
2011-03-05 03:29 . 2011-03-05 03:29   --------   d-----w-   C:\dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:53 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-14 17:50 . 2010-05-06 01:30   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-14 15:29 . 2010-03-31 23:57   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-09-10 05:57 . 2009-10-19 08:27   919552   ----a-w-   c:\windows\system32\wininet.dll
2010-09-10 05:57 . 2009-10-19 08:26   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-10 05:57 . 2009-10-19 08:25   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-01 11:48 . 2009-10-19 08:25   285824   ----a-w-   c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27   1861888   ----a-w-   c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27   119808   ----a-w-   c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00   99840   ----a-w-   c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27   357248   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 12:00   617472   ----a-w-   c:\windows\system32\comctl32.dll
2004-03-11 02:27 . 2010-03-17 02:19   40960   ----a-w-   c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2009-10-19 . 5D12CAB858874F0AB2229A6F36507390 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

[-] 2009-10-19 . E9191BF9EE3C83D53F691473FB28C176 . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-11-18_10.27.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-19 03:06 . 2010-11-19 03:06   16384 c:\windows\Temp\Perflib_Perfdata_7f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-10-30 02:29   2734688   ----a-w-   c:\program files\Zynga\tbZyn1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"="c:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2008-04-15 1675264]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
2010-02-21 10:11   2969336   ----a-w-   c:\program files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2003-12-22 11:15   86016   ------w-   c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-08-28 15:43   328568   ----a-w-   c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13785:TCP"= 13785:TCP:BitComet 13785 TCP
"13785:UDP"= 13785:UDP:BitComet 13785 UDP
"13745:TCP"= 13745:TCP:BitComet 13745 TCP
"13745:UDP"= 13745:UDP:BitComet 13745 UDP

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/03/2011 3:22 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/03/2011 3:22 PM 17744]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 7:29 PM 9472]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [19/10/2009 7:27 PM 14848]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ    nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{E51243AD-8232-4AC6-8D07-7BEEAA8CEE86}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2794175&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - midica Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser_game/ws/redir?_iceUrl=true&user_id=35025395&tool_id=60531&qkw=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\components\Engine.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-vghd - c:\documents and settings\Owner\Start Menu\Programs\DeskBabes\uninstall.lnk

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1E.tmp"
.
Completion time: 2010-11-19 14:19:36
ComboFix-quarantined-files.txt 2010-11-19 03:19
ComboFix2.txt 2010-11-18 10:30
ComboFix3.txt 2010-11-18 09:36

Pre-Run: 8,684,085,248 bytes free
Post-Run: 8,682,790,912 bytes free

- - End Of File - - CD9F134CB11FD7768BC65621243FA3B5

guestolo · « **Reply #10 on:** November 18, 2010, 10:26:40 PM »

Download [color="#0000FF"]TDSSKiller[/color] and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Also, download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

barrel05 · « **Reply #11 on:** November 18, 2010, 10:43:43 PM »

2010/11/19 14:39:26.0406   TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/19 14:39:26.0406   ================================================================================
2010/11/19 14:39:26.0406   SystemInfo:
2010/11/19 14:39:26.0406
2010/11/19 14:39:26.0406   OS Version: 5.1.2600 ServicePack: 3.0
2010/11/19 14:39:26.0406   Product type: Workstation
2010/11/19 14:39:26.0406   ComputerName: ANONYMOUS
2010/11/19 14:39:26.0406   UserName: Owner
2010/11/19 14:39:26.0406   Windows directory: C:\WINDOWS
2010/11/19 14:39:26.0406   System windows directory: C:\WINDOWS
2010/11/19 14:39:26.0406   Processor architecture: Intel x86
2010/11/19 14:39:26.0406   Number of processors: 1
2010/11/19 14:39:26.0406   Page size: 0x1000
2010/11/19 14:39:26.0406   Boot type: Normal boot
2010/11/19 14:39:26.0406   ================================================================================
2010/11/19 14:39:27.0312   Initialize success
2010/11/19 14:39:35.0000   ================================================================================
2010/11/19 14:39:35.0000   Scan started
2010/11/19 14:39:35.0000   Mode: Manual;
2010/11/19 14:39:35.0000   ================================================================================
2010/11/19 14:39:35.0765   Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/19 14:39:36.0484   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/19 14:39:36.0718   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/19 14:39:37.0203   aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/11/19 14:39:37.0437   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/19 14:39:37.0687   AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
2010/11/19 14:39:38.0890   ANIO (920298c7aef97d8168d219d35975d295) C:\WINDOWS\system32\ANIO.SYS
2010/11/19 14:39:39.0859   aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/11/19 14:39:40.0109   aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/19 14:39:40.0343   aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/19 14:39:40.0578   aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/19 14:39:40.0812   aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/19 14:39:41.0062   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/19 14:39:41.0281   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/19 14:39:41.0734   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/19 14:39:41.0984   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/19 14:39:42.0250   BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2010/11/19 14:39:42.0500   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/19 14:39:42.0890   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/19 14:39:43.0328   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/19 14:39:43.0562   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/19 14:39:43.0812   cdrbsvsd (80ac946628de5deab071474e30d7a071) C:\WINDOWS\system32\drivers\cdrbsvsd.sys
2010/11/19 14:39:44.0078   Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/19 14:39:45.0828   Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/19 14:39:46.0093   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/19 14:39:46.0359   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/19 14:39:46.0609   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/19 14:39:46.0875   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/19 14:39:47.0343   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/19 14:39:47.0562   DumpDrv (b327281012b48bd73f587799f9f29be2) C:\WINDOWS\system32\drivers\DumpDrv.sys
2010/11/19 14:39:47.0859   exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
2010/11/19 14:39:48.0093   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/19 14:39:48.0343   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/19 14:39:48.0562   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/19 14:39:48.0781   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/19 14:39:49.0031   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/11/19 14:39:49.0281   Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/19 14:39:49.0515   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/19 14:39:49.0765   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/19 14:39:50.0203   HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/19 14:39:50.0656   HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/11/19 14:39:50.0968   HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/11/19 14:39:51.0250   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/19 14:39:51.0921   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/19 14:39:52.0171   ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/11/19 14:39:52.0421   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/19 14:39:52.0703   InCDfs (7bfc3eda22190c0fe8c2ca19e5379da5) C:\WINDOWS\system32\drivers\InCDFs.sys
2010/11/19 14:39:52.0937   InCDPass (fc4dbf18a4eb0d2fe3171471a3d0f9a8) C:\WINDOWS\system32\drivers\InCDPass.sys
2010/11/19 14:39:53.0156   InCDrec (f8e7c551def07fdc12ca5cc7ae5d975b) C:\WINDOWS\system32\drivers\InCDrec.sys
2010/11/19 14:39:53.0375   incdrm (31a5a3809249a326eb0ef58d563a9654) C:\WINDOWS\system32\drivers\InCDRm.sys
2010/11/19 14:39:53.0843   IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/19 14:39:54.0078   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/19 14:39:54.0296   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/11/19 14:39:54.0546   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/19 14:39:54.0781   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/19 14:39:55.0046   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/19 14:39:55.0281   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/19 14:39:55.0531   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/19 14:39:55.0781   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/19 14:39:56.0062   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/19 14:39:56.0281   kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/19 14:39:56.0562   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/19 14:39:56.0812   KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/19 14:39:57.0343   mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/11/19 14:39:57.0765   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/19 14:39:58.0031   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/19 14:39:58.0265   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/19 14:39:58.0484   MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/19 14:39:58.0921   MRxDAV (6a7c4ac5b52155115dee97995c1cf157) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/19 14:39:59.0187   MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/19 14:39:59.0468   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/19 14:39:59.0687   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/19 14:39:59.0984   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/19 14:40:00.0218   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/19 14:40:00.0468   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/19 14:40:00.0703   Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/19 14:40:01.0031   NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/19 14:40:01.0281   NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/19 14:40:01.0515   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/19 14:40:01.0750   NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/19 14:40:02.0046   NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/19 14:40:02.0265   NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/19 14:40:02.0500   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/19 14:40:02.0843   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/19 14:40:03.0109   Ntfs (ae8cad8f28db13b515a68510a539b0b8) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/19 14:40:03.0390   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/19 14:40:03.0625   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/19 14:40:03.0843   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/19 14:40:04.0093   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/19 14:40:04.0328   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/19 14:40:04.0562   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/19 14:40:04.0812   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/19 14:40:05.0265   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/11/19 14:40:05.0515   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/19 14:40:05.0750   pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/11/19 14:40:07.0390   pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/11/19 14:40:07.0640   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/19 14:40:07.0890   PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/19 14:40:08.0140   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/19 14:40:09.0406   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/19 14:40:09.0656   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/19 14:40:09.0906   RasPppoe (2c9d4620a0fd35de1828370b392f6e2d) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/19 14:40:10.0140   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/19 14:40:10.0375   Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/19 14:40:10.0625   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/19 14:40:10.0859   rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/19 14:40:11.0109   RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/19 14:40:11.0375   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/19 14:40:11.0703   rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2010/11/19 14:40:11.0968   RT73 (c7bcf9808e2a1b4cabe16ff7fbce5fab) C:\WINDOWS\system32\DRIVERS\Dr71WU.sys
2010/11/19 14:40:12.0234   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/19 14:40:12.0484   serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/19 14:40:12.0703   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/19 14:40:13.0015   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/19 14:40:13.0500   smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2010/11/19 14:40:13.0968   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/19 14:40:14.0234   SR (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/19 14:40:14.0484   Srv (70cd8b8dd2a680b128617c19eb0ab94f) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/19 14:40:14.0781   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/19 14:40:15.0031   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/19 14:40:16.0078   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/19 14:40:16.0359   Tcpip (ba8c046d98345129723e6bcaa1e8ab99) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/19 14:40:16.0640   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/19 14:40:16.0890   TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/19 14:40:17.0109   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/19 14:40:17.0625   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/19 14:40:18.0140   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/19 14:40:18.0421   usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/19 14:40:18.0656   usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/19 14:40:18.0875   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/19 14:40:19.0109   usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/19 14:40:19.0359   USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/19 14:40:19.0578   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/19 14:40:19.0828   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/19 14:40:20.0296   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/19 14:40:20.0562   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/19 14:40:21.0031   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/19 14:40:21.0312   winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/11/19 14:40:21.0734   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/19 14:40:22.0015   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/19 14:40:22.0421   ================================================================================
2010/11/19 14:40:22.0421   Scan finished
2010/11/19 14:40:22.0421   ================================================================================

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000003d

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7A97000 \WINDOWS\system32\KDCOM.DLL
0xF79A7000 \WINDOWS\system32\BOOTVID.dll
0xF7548000 ACPI.sys
0xF7A99000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7537000 pci.sys
0xF7597000 isapnp.sys
0xF7B5F000 PCIIde.sys
0xF7817000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7A9B000 intelide.sys
0xF75A7000 MountMgr.sys
0xF7518000 ftdisk.sys
0xF7A9D000 dmload.sys
0xF74F2000 dmio.sys
0xF781F000 PartMgr.sys
0xF75B7000 VolSnap.sys
0xF74DA000 atapi.sys
0xF75C7000 disk.sys
0xF75D7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74BA000 fltMgr.sys
0xF74A8000 sr.sys
0xF7491000 KSecDD.sys
0xF7404000 Ntfs.sys
0xF73D7000 NDIS.sys
0xF73BD000 Mup.sys
0xF7717000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF72BD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF72A9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF785F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7285000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7867000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF724F000 \SystemRoot\system32\DRIVERS\HSFBS2S2.sys
0xF722C000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7100000 \SystemRoot\system32\DRIVERS\HSFDPSP2.sys
0xF7058000 \SystemRoot\system32\DRIVERS\HSFCXTS2.sys
0xF786F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7877000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF787F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7727000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7887000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF788F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7737000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A3B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7044000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7A3F000 \SystemRoot\System32\Drivers\cdrbsvsd.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A43000 \SystemRoot\system32\drivers\pfc.sys
0xF7757000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7767000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7897000 \SystemRoot\system32\drivers\InCDPass.sys
0xF7777000 \SystemRoot\system32\drivers\InCDRm.sys
0xF6FC0000 \SystemRoot\system32\drivers\smwdm.sys
0xF6F9C000 \SystemRoot\system32\drivers\portcls.sys
0xF7787000 \SystemRoot\system32\drivers\drmk.sys
0xF7AB5000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7BA3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7797000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A4F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6F85000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF789F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6F73000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78A7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78AF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77E7000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF6A3B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AB7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF693D000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A6F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7807000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7607000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7ABD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78B7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7378000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C52000 \SystemRoot\System32\Drivers\Null.SYS
0xF7ABF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78C7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78CF000 \SystemRoot\System32\drivers\vga.sys
0xF7AC1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7370000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xEDB81000 \SystemRoot\system32\drivers\InCDFs.sys
0xF78D7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78DF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF736C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDB6E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDB15000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7637000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEDAED000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDACB000 \SystemRoot\System32\drivers\afd.sys
0xF7647000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDAA0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDA08000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7657000 \SystemRoot\System32\Drivers\Fips.SYS
0xED9E2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7667000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xED971000 \SystemRoot\system32\DRIVERS\Dr71WU.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7CDB000 \SystemRoot\System32\Drivers\BANTExt.sys
0xED8AA000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF78FF000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xED899000 \SystemRoot\System32\Drivers\Udfs.SYS
0xED881000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7ADB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6931000 \SystemRoot\System32\drivers\Dxapi.sys
0xF790F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C6F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
0xED835000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xED829000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xED7A5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF7697000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xED54E000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xED129000 \SystemRoot\system32\drivers\wdmaud.sys
0xED416000 \SystemRoot\system32\drivers\sysaudio.sys
0xECFB7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7ABB000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF7997000 \??\C:\WINDOWS\system32\ANIO.SYS
0xED1F6000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xED252000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xECE47000 \SystemRoot\system32\DRIVERS\srv.sys
0xECBFE000 \SystemRoot\System32\Drivers\HTTP.sys
0xF783F000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xECC97000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
568 C:\WINDOWS\system32\smss.exe
620 csrss.exe
644 C:\WINDOWS\system32\winlogon.exe
696 C:\WINDOWS\system32\services.exe
708 C:\WINDOWS\system32\lsass.exe
864 C:\WINDOWS\system32\svchost.exe
964 svchost.exe
1004 C:\WINDOWS\system32\svchost.exe
1172 svchost.exe
1340 svchost.exe
1348 C:\WINDOWS\explorer.exe
1640 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1720 C:\WINDOWS\system32\TaskSwitch.exe
1736 C:\WINDOWS\system32\hkcmd.exe
1744 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
1752 C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
1772 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
1784 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
1792 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
1800 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
1812 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1824 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
752 C:\WINDOWS\system32\spoolsv.exe
1468 svchost.exe
1568 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
1660 C:\Program Files\Java\jre6\bin\jqs.exe
1484 C:\Program Files\UPHClean\uphclean.exe
3492 alg.exe
3520 C:\Program Files\Windows Live\Contacts\wlcomm.exe
3288 C:\WINDOWS\system32\svchost.exe
1224 C:\WINDOWS\system32\wuauclt.exe
1888 C:\WINDOWS\system32\notepad.exe
1176 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: IC35L020AVVA07-0, Rev: VA1OA51A
PhysicalDrive2 Model Number: SAMSUNGHD400LD, Rev:
PhysicalDrive1 Model Number: WD15EADS External, Rev: 1.75

Size Device Name MBR Status
--------------------------------------------
18 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
372 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1397 GB \\.\PhysicalDrive1 RE: Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E

Done!

guestolo · « **Reply #12 on:** November 18, 2010, 11:20:42 PM »

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code: [Select]
:filefind wscntfy.exe winlogon.exe explorer.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
In addition: It may take a while to scan your drive for the 3 files, so give it time

In addition:
[color="#0000FF"]Scan With RKUnHooker[/color]

Download [color="#0000FF"]Rootkit Unhooker[/color] Save it to your desktop.
Note: Since this is a RAR file, and you have 7zip installed, please Extract the contents to your desktop
Double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File>> Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get a warning similiar to the below
Just ignore it if you do
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

barrel05 · « **Reply #13 on:** November 20, 2010, 09:00:12 PM »

SystemLook 04.09.10 by jpshortstuff
Log created at 12:09 on 21/11/2010 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 509440 bytes [08:27 19/10/2009] [08:27 19/10/2009] 5D12CAB858874F0AB2229A6F36507390

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [08:25 19/10/2009] [08:25 19/10/2009] E9191BF9EE3C83D53F691473FB28C176

-= EOF =-

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2190080 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2190080 bytes
0x804D7000 RAW 2190080 bytes
0x804D7000 WMIxWDM 2190080 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF712D000 C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF05E000 C:\WINDOWS\System32\ialmdd5.DLL 765952 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xF7085000 C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF72BD000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 684032 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF7404000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF6FED000 C:\WINDOWS\system32\drivers\smwdm.sys 540672 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xED971000 C:\WINDOWS\system32\DRIVERS\Dr71WU.sys 462848 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
0xEDA08000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF693D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEDB15000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xECE80000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xECC0F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF724F000 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF6A3B000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7548000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF73D7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xECFC8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEC734000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEDAA0000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEDAED000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xED8AA000 C:\WINDOWS\System32\Drivers\aswSP.SYS 159744 bytes (AVAST Software, avast! self protection module)
0xF74F2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xED9E2000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xED846000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6FC9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7285000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF722C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEDACB000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131968 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74BA000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7518000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBF03F000 C:\WINDOWS\System32\ialmdev5.DLL 126976 bytes (Intel Corporation, Component GHAL Driver)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 126976 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xEDB81000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xF73BD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74DA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xED86A000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xED5AF000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xF7491000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6F85000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xED13A000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7071000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF72A9000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEDB6E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF6F73000 C:\WINDOWS\system32\DRIVERS\psched.sys 73728 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF74A8000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7537000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF76C7000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7737000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xED961000 C:\WINDOWS\system32\DRIVERS\rspndr.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0xF7717000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7767000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7747000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xED31F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF75F7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF75D7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7707000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7777000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75B7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF77C7000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xF7797000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7647000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7727000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75A7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7787000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7627000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0xF7597000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF77F7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75C7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7757000 C:\WINDOWS\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7637000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEC917000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78A7000 C:\WINDOWS\system32\drivers\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xF787F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF78EF000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7877000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF783F000 C:\WINDOWS\system32\ANIO.SYS 28672 bytes (Alpha Networks Inc., ANIO (NT5) Driver )
0xF788F000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF78D7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7817000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78F7000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7907000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF7897000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF786F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF78DF000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7867000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xF78C7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF78E7000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF781F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF78B7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78BF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF78AF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7887000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF797F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7A53000 C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS 16384 bytes (B.H.A Corporation, CD-ROM Filter Driver for Windows2000/xp)
0xF7A87000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xED7FA000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A4F000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xED822000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xF79A7000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEDA98000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7A23000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 12288 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A2B000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xED15F000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7A67000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A57000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus(R) ASPI Shell)
0xF7A2F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xECF1C000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xF7ABF000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF7AD1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A9D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B1D000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A9B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7A97000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B57000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7AD3000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AC7000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7ACD000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A99000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7CC4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BC5000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xF7C34000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C8F000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B5F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89R8K3QS\videoByTag[1].aspx
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B8A0, Type: Inline - PushRet 0x804E28A0-->CDED8B26 [unknown_code_page]
ntoskrnl.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x8057FE4C-->ED8BFBB2 [aswSP.SYS]
ntoskrnl.exe-->NtCreateSection, Type: Inline - RelativeJump 0x805652B3-->ED8BF9D6 [aswSP.SYS]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A3B85-->ED8BFB10 [aswSP.SYS]
ntoskrnl.exe-->ObInsertObject, Type: Inline - RelativeJump 0x8056503A-->ED8BCFFA [aswSP.SYS]
ntoskrnl.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x8059F8DB-->ED8BB5D4 [aswSP.SYS]
[1436]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C844935-->00000000 [unknown_code_page]
[1592]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1592]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1592]explorer.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C8197B0-->00000000 [unknown_code_page]
[1592]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1592]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1592]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1592]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B4-->00000000 [shimeng.dll]
[1592]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2628]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CD3-->00000000 [firefox.exe]
[2628]firefox.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page]
[2628]firefox.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x71AB5355-->00000000 [unknown_code_page]
[2628]firefox.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]
[2628]firefox.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]
[2628]firefox.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]
[2628]firefox.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]
[696]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]
[696]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

guestolo · « **Reply #14 on:** November 20, 2010, 11:57:20 PM »

Can you do the next steps, let's ensure that the files are infected
Please open a command prompt window (START>>RUN>> type cmd
Hit OK
Copy and paste the following commands at the command prompt and press Enter: after each line
Note, you should receive file copied after each line

Copy /y C:\WINDOWS\explorer.exe C:\

Copy /y C:\WINDOWS\system32\winlogon.exe C:\

Copy /y C:\WINDOWS\system32\drivers\tcpip.sys C:\

Type exit to close the prompt

Go to the following link
http://www.virustotal.com/[removed instructions as I accidentally edited this part of the reply]

barrel05 · « **Reply #15 on:** November 21, 2010, 12:20:16 AM »

It says "Sorry! We could not find www.virustotal.com" when i try to click on it

guestolo · « **Reply #16 on:** November 21, 2010, 12:31:41 AM »

Do you have the same problem at this next site
If not, link to the permalink afterwards
http://virusscan.jotti.org/en

barrel05 · « **Reply #17 on:** November 21, 2010, 04:57:18 AM »

Explorerhttp://virusscan.jotti.org/en/scanresult/23582d2c1a33d1cbdddbf0bbd650ee69e103d6f3

winlogonhttp://virusscan.jotti.org/en/scanresult/c71276f7583ab047d3908d6c27cc9816ef5610fa

tcpip

guestolo · « **Reply #18 on:** November 21, 2010, 01:00:01 PM »

It appears that both explorer.exe and winlogon.exe have been modified

I've uploaded fresh copies of those 2 files, and a copy of the missing file
wscntfy.exe
to mediafire
All from a fresh install of XP Pro SP3
First, can you do the following
Go into C:\ folder
START>>MyComputer>>Local disk C:\

Delete those files we copied over earlier from that location
C:\explorer.exe
C:\winlogon.exe
C:\tcpip.sys

Next, this is important
Download and save directly to your C:\ directory
guestolo.zip from mediafire, from the following link
Click [color="#0000FF"]HERE[/color]
If you happen to not save directly to that location
Move it there please

Then, since you have 7zip installed
Right click on guestolo.zip and choose to Extract Here
So now you should have a 'guestolo' folder directly in your C:\ location
So you now have C:\guestolo folder
As mentioned, that is important for the next steps to work properly

Delete your copy of ComboFix from Desktop
We need a fresh copy
ReDownload ComboFix from the following location

[color="#0000FF"]Link 1[/color]
Save it ONLY to your Desktop

I see some leftovers from Sophos AntiRootkit we're going to remove, along with replacing those files hopefully in the next step
Next:
Copy ALL the below in the Code box and paste to an empty notepad file
Don't use anything else than notepad or the script will not work
To open Notepad you can go to Start>Programs>> Accessories, and then clicking Notepad.

Code: [Select]

Driver::
MEMSWEEP2
File::
c:\windows\system32\1E.tmp
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89R8K3QS\videoByTag[1].aspx
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
FCopy::
C:\guestolo\explorer.exe | C:\WINDOWS\explorer.exe
C:\guestolo\wscntfy.exe | C:\WINDOWS\system32\wscntfy.exe
C:\guestolo\winlogon.exe | C:\WINDOWS\system32\winlogon.exe

Save this as txtfile on your desktop, with the exact name of
CFScript

Temporarily disable your AntiVirus/AntiSpyware software so it won't interfere with this next step
Again, temporarily disable Avast protections so they don't interfere

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again

Keep me informed how things are now running

barrel05 · « **Reply #19 on:** November 21, 2010, 08:04:58 PM »

ComboFix 10-11-21.01 - Owner 22/11/2010 9:34.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.766.565 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89R8K3QS\videoByTag[1].aspx"
"c:\windows\system32\1E.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89R8K3QS\videoByTag[1].aspx

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\guestolo\explorer.exe --> c:\windows\explorer.exe
c:\guestolo\wscntfy.exe --> c:\windows\system32\wscntfy.exe
c:\guestolo\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2

((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2011-03-08 03:30 . 2010-07-27 03:48   --------   d-----w-   C:\Downloads
2011-03-05 03:29 . 2011-03-05 03:29   --------   d-----w-   C:\dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-21 22:05 . 2010-11-21 22:04   678699   ----a-w-   C:\guestolo.zip
2010-09-18 06:53 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2008-04-14 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-14 17:50 . 2010-05-06 01:30   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-14 15:29 . 2010-03-31 23:57   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-09-10 05:57 . 2009-10-19 08:27   919552   ----a-w-   c:\windows\system32\wininet.dll
2010-09-10 05:57 . 2009-10-19 08:26   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-10 05:57 . 2009-10-19 08:25   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-09-01 11:48 . 2009-10-19 08:25   285824   ----a-w-   c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27   1861888   ----a-w-   c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27   119808   ----a-w-   c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00   99840   ----a-w-   c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27   357248   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2004-03-11 02:27 . 2010-03-17 02:19   40960   ----a-w-   c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-18_10.27.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 22:45 . 2010-11-21 22:45   16384 c:\windows\Temp\Perflib_Perfdata_84.dat
+ 2010-11-21 22:33 . 2010-11-21 22:33   16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-10-30 02:29   2734688   ----a-w-   c:\program files\Zynga\tbZyn1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyn1.dll" [2010-10-30 2734688]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"="c:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2008-04-15 1675264]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
2010-02-21 10:11   2969336   ----a-w-   c:\program files\BitComet\BitComet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2003-12-22 11:15   86016   ------w-   c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-08-28 15:43   328568   ----a-w-   c:\program files\uTorrent\uTorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13785:TCP"= 13785:TCP:BitComet 13785 TCP
"13785:UDP"= 13785:UDP:BitComet 13785 UDP
"13745:TCP"= 13745:TCP:BitComet 13745 TCP
"13745:UDP"= 13745:UDP:BitComet 13745 UDP

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/03/2011 3:22 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/03/2011 3:22 PM 17744]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 7:29 PM 9472]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [19/10/2009 7:27 PM 14848]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper   REG_MULTI_SZ    nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{E51243AD-8232-4AC6-8D07-7BEEAA8CEE86}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 08:30]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2794175&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - midica Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser_game/ws/redir?_iceUrl=true&user_id=35025395&tool_id=60531&qkw=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}\components\Engine.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vkswq5d8.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 09:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-11-22 09:51:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-21 22:51
ComboFix2.txt 2010-11-19 03:19
ComboFix3.txt 2010-11-18 10:30
ComboFix4.txt 2010-11-18 09:36

Pre-Run: 8,418,119,680 bytes free
Post-Run: 8,406,315,008 bytes free

- - End Of File - - 87BCD5769B1B9C8EAD699B857B81DA62Google seems to be workin now

News:

Author Topic: Google being hijacked (Read 1996 times)