Fake Windows Security Virus removed, caused more rootkits and problems.

View previous topic View next topic Go down

Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Thu Apr 08, 2010 12:13 am

I had the infamous Windows Security Center virus that's been going around, after a Malwarebytes and spybot scan I got rid of the program, but now I still have some lingering viruses that seem completely impossible to remove.
I believe one is a .sys file in my windows/system32/drivers/ folder, possibly caused by Rootkit.Agent.

Any help is immensely appreciated, I'll attach a hijack this log, followed by a Combofix log here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:24, on 4/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - (no file)
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] files\BitComet\bitcomet .exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] files\BitComet\bitcomet .exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] files\BitComet\bitcomet .exe/AddAllLink.htm
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: 使用迅雷下载 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9cfcb98311892) (gupdate1c9cfcb98311892) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5818 bytes




--------------------------------------



ComboFix 10-04-07.01 - Spen 04/07/2010 20:30:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1504 [GMT -7:00]
Running from: c:\documents and settings\Spen\Desktop\commy.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{64E78697-7384-45D7-B0C2-057C6B5A8FBE}\install.rdf
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome.manifest
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\_cfg.js
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\chrome\content\overlay.xul
c:\documents and settings\Spen\Local Settings\Application Data\{58529860-AEB4-4D33-8616-6EBC4329C137}\install.rdf
c:\windows\system32\_VOIDberfndeixm.log
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\winlogon.bak
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:51 . 2010-04-07 09:02 -------- d-----w- c:\documents and settings\Spen\Local Settings\Application Data\AskToolbar
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-06 06:17 . 2010-04-07 09:01 120 ----a-w- c:\windows\Igucur.dat
2010-04-06 06:17 . 2010-04-07 09:01 0 ----a-w- c:\windows\Qgivodexadapeq.bin
2010-04-06 06:15 . 2010-04-06 06:24 201728 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
2010-04-06 06:08 . 2010-04-07 03:26 -------- d-sh--w- c:\documents and settings\Administrator\.COMMgr
2010-04-06 06:08 . 2010-04-08 03:43 823808 ----a-w- c:\windows\system32\drivers\zwhlwd.sys
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-06 06:08 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-20 18:22 . 2010-03-21 23:01 -------- d-----w- c:\program files\Ask.com
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-03-29 02:37 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-08 03:25 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 03:07 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 12:48 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:24 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:39 . 2009-03-28 21:08 17864 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-03 07:40 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-09 01:37 . 2009-07-28 06:58 17864 ----a-w- c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
Code:
<pre>
c:\program files\ATI\ATICustomerCare\aticustomercare .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Avira\AntiVir Desktop\avgnt .exe
c:\program files\BitComet\bitcomet  .exe
c:\program files\CheckPoint\ZAForceField\forcefield .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Winamp Remote\bin\orbtray .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>

------- Sigcheck -------

[-] 2009-01-13 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 02:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 ----a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\m27f2z3pza.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\avp32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
c:\program files\Winamp Remote\bin\OrbTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]
S0 anvjhxi;anvjhxi;c:\windows\system32\drivers\mcou.sys --> c:\windows\system32\drivers\mcou.sys [?]
S0 kmtex;kmtex;c:\windows\system32\drivers\docmkg.sys --> c:\windows\system32\drivers\docmkg.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]

--- Other Services/Drivers In Memory ---

*Deregistered* - zwhlwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-KLiteCodecPack_is1 - g:\programs\K-Lite Codec Pack\unins000.exe
AddRemove-uTorrent - g:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-07 20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A896AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf7496cb8
\Driver\atapi -> 0x8ab5a1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d75
ParseProcedure -> ntoskrnl.exe @ 0x8057950b
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba57fba0
PacketIndicateHandler -> NDIS.sys @ 0xba58cb21
SendHandler -> NDIS.sys @ 0xba56a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zwhlwd]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-07 20:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 03:46

Pre-Run: 2,381,766,656 bytes free
Post-Run: 6,554,066,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 700EC4A17B6344AE34C1097B7DB7B7D0

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Thu Apr 08, 2010 3:33 pm

Hi

Download [You must be registered and logged in to see this link.] to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

ty for reply.

Post by jogna on Thu Apr 08, 2010 9:23 pm

OTL Extras logfile created on: 4/8/2010 6:10:40 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Spen\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 1.82 Gb Free Space | 0.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"14634:TCP" = 14634:TCP:*:Enabled:BitComet 14634 TCP
"14634:UDP" = 14634:UDP:*:Enabled:BitComet 14634 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:礣orrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Winamp Remote\bin\Orb.exe" = C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb -- (Orb Networks, Inc.)
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe" = C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client -- (Orb Networks)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1A48AB8A-DA88-545F-9D3D-C481DC6C31A3}" = Catalyst Control Center Graphics Full Existing
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{257DEF70-A302-CF80-79FE-D8C72EB5E4D0}" = ccc-utility
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2CF6349E-8A3F-B726-F59A-8703FC8885E8}" = Catalyst Control Center Graphics Light
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{302126A2-BB96-5931-6249-CAACA2C89AA1}" = ccc-core-static
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5B9EFDF8-AC4F-CA21-9A8C-7534D49E7EE9}" = Catalyst Control Center HydraVision Full
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C89B82E-AD76-7715-43EA-C37E563E83BB}" = ATI Catalyst Install Manager
"{6F42FC6B-947B-9B89-29B0-545F0815AD7F}" = ATI Parental Control & Encoder
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{855AA20A-CA81-7EF1-1936-AE4AA3DC4BEA}" = ccc-core-preinstall
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9867BC9-0EAD-BAC6-C320-4FBC2E127643}" = Catalyst Control Center Core Implementation
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{BE8A9C2C-8E41-445B-A746-BEB0B1F992F8}" = DJ_AIO_03_F4200_Software_Min
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3B6AEB1-390C-4792-8677-CD87F8B2C959}" = HP Deskjet F4200 All-In-One Driver 11.0 03
"{C89B5E3A-690F-4CEE-909A-BF869E198B0A}" = Scan
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{D0E6B5D9-6737-AF3E-7BE5-7327DD6B6002}" = Catalyst Control Center Graphics Previews Common
"{E4C82E4B-CD9E-27ED-BC6A-E099DE3EC3ED}" = CCC Help English
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E7231089-60AD-CD67-8CC0-B0F415E2A32A}" = Catalyst Control Center Graphics Full New
"{E96B0085-6659-486b-A221-5042A042728D}" = Toolbox
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BitComet" = BitComet 1.05
"CCleaner" = CCleaner (remove only)
"FileASSASSIN" = FileASSASSIN
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LimeWire" = LimeWire 4.18.8
"Magic ISO Maker v5.5 (build 0273)" = Magic ISO Maker v5.5 (build 0273)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orb" = Winamp Remote
"PartyPoker" = PartyPoker
"PokerStars" = PokerStars
"Postal 2 Share The Pain" = Postal 2 Share The Pain
"PowerShell" = Windows PowerShell(TM) 1.0
"PunkBusterSvc" = PunkBuster Services
"RealVNC_is1" = VNC Free Edition 4.1.2
"StarCraft II Beta" = StarCraft II Beta
"Steam App 240" = Counter-Strike: Source
"uTorrent" = 礣orrent
"VIDEOzilla_is1" = VIDEOzilla v2.8
"VLC media player" = VLC media player 1.0.3
"Wdf01001" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"Winamp Toolbar for Firefox" = Winamp Toolbar for Firefox
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoneAlarm" = ZoneAlarm
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/6/2010 10:44:03 PM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application vsmon.exe, version 9.1.7.2, faulting module ,
version 0.0.0.0, fault address 0x00000000.

Error - 4/6/2010 10:52:19 PM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3685, faulting module
3difr.x3d, version 9.1.0.0, fault address 0x0001d601.

Error - 4/6/2010 11:08:29 PM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application acrotray .exe, version 3.2.1203.2000, faulting
module msvcrt.dll, version 7.0.2600.2180, fault address 0x00037fd4.

Error - 4/8/2010 3:59:43 AM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module Flash10c.ocx, version 10.0.32.18, fault address 0x0005ba18.

Error - 4/8/2010 7:06:59 AM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application pavark.exe, version 5.0.0.4, faulting module
ntdll.dll, version 5.1.2600.3520, fault address 0x000101b3.

Error - 4/8/2010 7:08:08 AM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application pavark.exe, version 5.0.0.4, faulting module
ntdll.dll, version 5.1.2600.3520, fault address 0x00011a5d.

Error - 4/8/2010 7:09:11 AM | Computer Name = ALEX-ROOM | Source = Application Error | ID = 1000
Description = Faulting application pooolngutfdddddrk.exe, version 5.0.0.4, faulting
module jscript.dll, version 5.7.6002.22145, fault address 0x0000c6c0.

Error - 4/8/2010 6:57:03 PM | Computer Name = ALEX-ROOM | Source = Google Update | ID = 20
Description =

Error - 4/8/2010 7:57:03 PM | Computer Name = ALEX-ROOM | Source = Google Update | ID = 20
Description =

Error - 4/8/2010 8:57:03 PM | Computer Name = ALEX-ROOM | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 4/8/2010 1:16:27 AM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/8/2010 1:24:32 AM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/8/2010 2:02:08 AM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/8/2010 2:15:33 AM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/8/2010 2:38:59 AM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/8/2010 3:36:57 AM | Computer Name = ALEX-ROOM | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ZWHLWD\0000 disappeared from the system without
first being prepared for removal.

Error - 4/8/2010 3:22:52 PM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7028
Description = The Cfg Registry key denied access to SYSTEM account programs so the
Service Control Manager took ownership of the Registry key.

Error - 4/8/2010 3:23:02 PM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi

Error - 4/8/2010 3:23:35 PM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/8/2010 3:46:02 PM | Computer Name = ALEX-ROOM | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi


< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Thu Apr 08, 2010 9:26 pm

OTL.txt had too much text to display as a message, i'll attach the TXT file for you.

Hmm I'm trying to attach it and it's telling me it is an invalid file.
My next two posts are OTL.txt in two posts.


Last edited by jogna on Thu Apr 08, 2010 9:28 pm; edited 1 time in total

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Thu Apr 08, 2010 9:26 pm

OTL logfile created on: 4/8/2010 6:10:40 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Spen\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 1.82 Gb Free Space | 0.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\My Documents\Downloads\OTL.exe
PRC - [2010/04/08 12:34:15 | 000,319,792 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010/03/30 00:46:02 | 001,086,856 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/01/26 15:31:12 | 005,365,592 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PRC - [2008/04/13 17:12:40 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wpabaln.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Disabled | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Driver Services (SafeList) ==========

DRV - [2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/03/02 21:21:08 | 004,630,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2010/02/16 13:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/11/22 15:42:54 | 000,486,280 | ---- | M] (Check Point Software Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/03/30 01:14:47 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/10/30 00:04:51 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2008/10/13 19:26:10 | 004,879,360 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/08/07 20:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/20 19:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2007/02/26 17:15:22 | 000,061,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2006/10/13 14:48:26 | 000,050,048 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb20.sys -- (xusb20)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://go.microsoft.com/fwlink/?LinkId=69157"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.53.4
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="


FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/04/05 23:31:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox 3.5 Beta 4\components [2010/04/07 01:38:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.5 Beta 4\plugins [2010/04/07 01:38:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 08:08:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 08:08:37 | 000,000,000 | ---D | M]

[2009/03/28 14:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Extensions
[2009/11/06 23:36:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\extensions
[2009/11/06 23:35:52 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\searchplugins\bing.xml
[2010/04/08 01:17:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/22 23:20:30 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

O1 HOSTS File: ([2010/04/08 02:14:18 | 000,385,193 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13312 more lines...
O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll (Thunder Networking Technologies,LTD)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll (BitComet)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: 使用迅雷下载 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm ()
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getAllurl.htm ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll (BitComet)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.18 64.59.144.19
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - Unable to open key or key not present!
O32 - AutoRun File - [2008/10/29 23:08:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/10/29 14:41:07 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe - (Lime Wire, LLC)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk - C:\PROGRA~1\McAfee Security Scan\1.0.150\SSScheduler.exe - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Alcmtr - hkey= - key= - C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: ATICustomerCare - hkey= - key= - C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe File not found
MsConfig - StartUpReg: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - hkey= - key= - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
MsConfig - StartUpReg: BitComet - hkey= - key= - c:\program files\BitComet\bitcomet .exe File not found
MsConfig - StartUpReg: COM+ Manager - hkey= - key= - C:\Documents and Settings\Administrator\.COMMgr\complmgr.exe File not found
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: DAEMON Tools Lite - hkey= - key= - C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
MsConfig - StartUpReg: FlashPlayerUpdate - hkey= - key= - File not found
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe File not found
MsConfig - StartUpReg: hf8wefhuaihf8ewfydiujhfdsfdf - hkey= - key= - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\m27f2z3pza.exe File not found
MsConfig - StartUpReg: hsf87efjhdsf87f3jfsdi7fhsujfd - hkey= - key= - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avp32.exe File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe File not found
MsConfig - StartUpReg: Malwarebytes Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: mplay32xe.exe - hkey= - key= - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe File not found
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - c:\program files\windows live\messenger\msnmsgr .exe (Microsoft Corporation)
MsConfig - StartUpReg: Orb - hkey= - key= - C:\Program Files\Winamp Remote\bin\OrbTray.exe File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\program files\quicktime\qttask .exe (Apple Inc.)
MsConfig - StartUpReg: RTHDCPL - hkey= - key= - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: Software Informer - hkey= - key= - C:\Program Files\Software Informer\softinfo.exe File not found
MsConfig - StartUpReg: SpybotSD TeaTimer - hkey= - key= - c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
MsConfig - StartUpReg: StartCCC - hkey= - key= - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe File not found
MsConfig - StartUpReg: Steam - hkey= - key= - C:\Program Files\Steam\Steam.exe (Valve Corporation)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
MsConfig - StartUpReg: XboxStat - hkey= - key= - C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - Service
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {BDE0FA43-6952-4BA8-8C58-09AF690F88E1} - Microsoft .NET Framework 1.0 Hotfix (KB930494)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /HideWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.HFYU - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP70 - C:\WINDOWS\System32\vp7vfw.dll (On2.com)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll ([You must be registered and logged in to see this link.]

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/08 12:46:25 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/08 12:28:11 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2010/04/08 12:27:23 | 002,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2010/04/08 12:27:23 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2010/04/08 12:27:22 | 002,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2010/04/08 12:27:22 | 002,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2010/04/08 12:27:09 | 000,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2010/04/08 12:27:01 | 000,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2010/04/08 12:26:18 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2010/04/08 12:24:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/08 12:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/08 12:22:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/04/08 12:17:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/04/08 12:17:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/04/08 12:07:52 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/04/08 04:10:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Spen\IETldCache
[2010/04/08 04:08:39 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\iyxnciyqodnk.sys
[2010/04/08 04:08:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/04/08 04:07:22 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\irxyvcqntpwi.sys
[2010/04/08 04:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Pavark
[2010/04/08 04:05:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/04/08 03:07:06 | 000,000,000 | ---D | C] -- C:\b9366766186a5e08fc2c
[2010/04/08 00:26:40 | 000,000,000 | ---D | C] -- C:\commy
[2010/04/07 23:28:25 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidserv.dll
[2010/04/07 23:23:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2010/04/07 23:20:48 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2010/04/07 23:20:48 | 000,004,255 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv01nt5.dll
[2010/04/07 23:20:48 | 000,003,967 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv02nt5.dll
[2010/04/07 23:20:48 | 000,003,615 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv05nt5.dll
[2010/04/07 23:20:47 | 000,003,775 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv11nt5.dll
[2010/04/07 23:20:47 | 000,003,711 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv09nt5.dll
[2010/04/07 23:20:47 | 000,003,647 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv07nt5.dll
[2010/04/07 23:20:47 | 000,003,135 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\adv08nt5.dll
[2010/04/07 23:20:46 | 000,043,008 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\drivers\amdagp.sys
[2010/04/07 23:20:45 | 000,870,784 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ati3d1ag.dll
[2010/04/07 23:20:45 | 000,377,984 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvaa.dll
[2010/04/07 23:20:45 | 000,032,768 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativtmxx.dll
[2010/04/07 23:20:45 | 000,023,040 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativmvxx.ax
[2010/04/07 23:20:45 | 000,009,728 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativdaxx.ax
[2010/04/07 23:20:44 | 000,233,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\azroles.dll
[2010/04/07 23:20:44 | 000,036,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bthprint.sys
[2010/04/07 23:20:44 | 000,025,471 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\atv04nt5.dll
[2010/04/07 23:20:44 | 000,021,183 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\atv01nt5.dll
[2010/04/07 23:20:44 | 000,017,279 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\atv10nt5.dll
[2010/04/07 23:20:44 | 000,014,143 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\atv06nt5.dll
[2010/04/07 23:20:44 | 000,011,359 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\atv02nt5.dll
[2010/04/07 23:20:44 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2010/04/07 23:20:42 | 000,015,423 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\ch7xxnt5.dll
[2010/04/07 23:20:39 | 000,650,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3ui.dll
[2010/04/07 23:20:39 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3cfg.dll
[2010/04/07 23:20:39 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3msm.dll
[2010/04/07 23:20:39 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dhcpqec.dll
[2010/04/07 23:20:39 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3gpclnt.dll
[2010/04/07 23:20:39 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsroam.dll
[2010/04/07 23:20:39 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3api.dll
[2010/04/07 23:20:39 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3dlg.dll
[2010/04/07 23:20:37 | 000,184,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapp3hst.dll
[2010/04/07 23:20:37 | 000,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapphost.dll
[2010/04/07 23:20:37 | 000,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappcfg.dll
[2010/04/07 23:20:37 | 000,094,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappgnui.dll
[2010/04/07 23:20:37 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapqec.dll
[2010/04/07 23:20:37 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappprxy.dll
[2010/04/07 23:20:37 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapolqec.dll
[2010/04/07 23:20:36 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\faxpatch.exe
[2010/04/07 23:20:33 | 000,032,285 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\hsfcisp2.dll
[2010/04/07 23:20:32 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2010/04/07 23:20:31 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsdupd.exe
[2010/04/07 23:20:30 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irbus.sys
[2010/04/07 23:20:27 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwnh.dll
[2010/04/07 23:20:26 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpapi.dll
[2010/04/07 23:20:22 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\l2gpstore.dll
[2010/04/07 23:20:22 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpash.dll
[2010/04/07 23:20:22 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnepr.dll
[2010/04/07 23:20:22 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdiultn.dll
[2010/04/07 23:20:22 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbhc.dll
[2010/04/07 23:20:12 | 000,086,016 | ---- | C] (Conexant) -- C:\WINDOWS\System32\mdmxsdk.dll
[2010/04/07 23:20:11 | 000,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcex.dll
[2010/04/07 23:20:11 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\microsoft.managementconsole.dll
[2010/04/07 23:20:11 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcfxcommon.dll
[2010/04/07 23:20:11 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcperf.exe
[2010/04/07 23:20:04 | 001,737,856 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\mtxparhd.dll
[2010/04/07 23:20:04 | 001,372,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2010/04/07 23:20:04 | 000,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mssha.dll
[2010/04/07 23:20:04 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2010/04/07 23:20:04 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msshavmsg.dll
[2010/04/07 23:20:04 | 000,012,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mutohpen.sys
[2010/04/07 23:20:03 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napmontr.dll
[2010/04/07 23:20:03 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napstat.exe
[2010/04/07 23:20:03 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napipsec.dll
[2010/04/07 23:20:00 | 004,274,816 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nv4_disp.dll
[2010/04/07 23:20:00 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\onex.dll
[2010/04/07 23:19:57 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagent.dll
[2010/04/07 23:19:57 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qutil.dll
[2010/04/07 23:19:57 | 000,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qcliprov.dll
[2010/04/07 23:19:57 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rasqec.dll
[2010/04/07 23:19:56 | 000,397,056 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\s3gnb.dll
[2010/04/07 23:19:56 | 000,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2010/04/07 23:19:56 | 000,030,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rndismpx.sys
[2010/04/07 23:19:54 | 000,286,792 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slextspk.dll
[2010/04/07 23:19:54 | 000,188,508 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slgen.dll
[2010/04/07 23:19:54 | 000,073,832 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slcoinst.dll
[2010/04/07 23:19:54 | 000,073,796 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slserv.exe
[2010/04/07 23:19:54 | 000,040,960 | ---- | C] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\drivers\sisagp.sys
[2010/04/07 23:19:54 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slrundll.exe
[2010/04/07 23:19:54 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\slrundll.exe
[2010/04/07 23:19:54 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\setupn.exe
[2010/04/07 23:19:54 | 000,005,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\smbali.sys
[2010/04/07 23:19:54 | 000,003,901 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\siint5.dll
[2010/04/07 23:19:53 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdwxp.exe
[2010/04/07 23:19:53 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spdwnwxp.exe
[2010/04/07 23:19:49 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2010/04/07 23:19:48 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\verclsid.exe
[2010/04/07 23:19:48 | 000,011,325 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\vchnt5.dll
[2010/04/07 23:19:47 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vidcap.ax
[2010/04/07 23:19:45 | 000,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlanapi.dll
[2010/04/07 23:17:46 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2010/04/07 23:17:46 | 000,025,471 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\watv10nt.sys
[2010/04/07 23:17:46 | 000,022,271 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\watv06nt.sys
[2010/04/07 23:17:46 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2010/04/07 23:17:46 | 000,011,935 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\wadv11nt.sys
[2010/04/07 23:17:46 | 000,011,871 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\wadv09nt.sys
[2010/04/07 23:17:46 | 000,011,807 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\wadv07nt.sys
[2010/04/07 23:17:46 | 000,011,295 | ---- | C] (Intel(R) Corporation) -- C:\WINDOWS\System32\drivers\wadv08nt.sys
[2010/04/07 23:17:45 | 001,897,408 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nv4_mini.sys
[2010/04/07 23:17:45 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2010/04/07 23:17:45 | 000,452,736 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\drivers\mtxparhm.sys
[2010/04/07 23:17:45 | 000,404,990 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2010/04/07 23:17:45 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2010/04/07 23:17:45 | 000,166,912 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\drivers\s3gnbm.sys
[2010/04/07 23:17:45 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnt7554.sys
[2010/04/07 23:17:45 | 000,126,686 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2010/04/07 23:17:45 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\recagent.sys
[2010/04/07 23:17:44 | 000,327,040 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtaa.sys
[2010/04/07 23:17:44 | 000,104,960 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinrvxx.sys
[2010/04/07 23:17:44 | 000,073,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atintuxx.sys
[2010/04/07 23:17:44 | 000,063,663 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1rvxx.sys
[2010/04/07 23:17:44 | 000,063,488 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxsxx.sys
[2010/04/07 23:17:44 | 000,057,856 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinbtxx.sys
[2010/04/07 23:17:44 | 000,056,623 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1btxx.sys
[2010/04/07 23:17:44 | 000,052,224 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinraxx.sys
[2010/04/07 23:17:44 | 000,036,463 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1tuxx.sys
[2010/04/07 23:17:44 | 000,034,735 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xsxx.sys
[2010/04/07 23:17:44 | 000,031,744 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxbxx.sys
[2010/04/07 23:17:44 | 000,030,671 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1raxx.sys
[2010/04/07 23:17:44 | 000,029,455 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xbxx.sys
[2010/04/07 23:17:44 | 000,028,672 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinsnxx.sys
[2010/04/07 23:17:44 | 000,026,367 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1snxx.sys
[2010/04/07 23:17:44 | 000,021,343 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1ttxx.sys
[2010/04/07 23:17:44 | 000,014,336 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinpdxx.sys
[2010/04/07 23:17:44 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinttxx.sys
[2010/04/07 23:17:44 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinmdxx.sys
[2010/04/07 23:17:44 | 000,012,047 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1pdxx.sys
[2010/04/07 23:17:44 | 000,011,615 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1mdxx.sys
[2010/04/07 23:14:15 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2010/04/07 23:14:10 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/04/07 23:14:03 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2010/04/07 23:14:03 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2010/04/07 23:13:33 | 000,455,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2010/04/07 20:47:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/07 20:26:45 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/07 20:25:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/07 20:25:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/07 20:25:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/07 20:25:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/07 20:24:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/07 20:22:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/07 19:00:40 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/04/07 13:52:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\SmitfraudFix
[2010/04/07 12:46:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/07 12:46:20 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/07 12:46:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/07 06:00:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/07 06:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 02:18:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Spen\Recent
[2010/04/07 02:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/07 02:05:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/06 21:14:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 20:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/06 20:25:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/04/06 20:22:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\Avira
[2010/04/06 20:04:02 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/06 20:04:01 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/06 20:04:01 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/04/06 20:04:01 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/06 20:04:01 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/05 23:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Local Settings\Application Data\AskToolbar
[2010/04/05 23:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/05 23:31:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\My Documents\ForceField Shared Files
[2010/04/05 23:31:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\CheckPoint
[2010/04/05 23:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/05 23:30:46 | 000,058,248 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2010/04/05 23:30:45 | 000,103,816 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2010/04/05 23:30:45 | 000,069,000 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2010/04/05 23:30:39 | 001,238,408 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2010/04/05 23:30:39 | 000,299,912 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2010/04/05 23:30:39 | 000,109,960 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2010/04/05 23:30:39 | 000,107,912 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2010/04/05 23:30:39 | 000,041,864 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2010/04/05 23:30:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/05 23:30:38 | 000,486,280 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2010/04/05 23:30:12 | 000,621,960 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2010/04/05 23:30:12 | 000,227,720 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2010/04/05 23:30:12 | 000,112,008 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2010/04/05 23:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/05 23:21:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/05 08:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/05 08:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/05 08:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/31 20:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\dumps
[2010/03/29 19:36:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/28 23:18:36 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2010/03/23 22:56:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2010/03/23 22:52:53 | 003,641,344 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticaldd.dll
[2010/03/23 22:52:53 | 000,143,360 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atiapfxx.exe
[2010/03/23 22:52:53 | 000,118,784 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\atibtmon.exe
[2010/03/23 22:52:53 | 000,065,024 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\WINDOWS\System32\atimpc32.dll
[2010/03/23 22:52:53 | 000,045,056 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticalrt.dll
[2010/03/23 22:52:53 | 000,045,056 | ---- | C] (Advanced Micro Devices Inc.) -- C:\WINDOWS\System32\aticalcl.dll
[2010/03/23 22:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010/03/21 02:51:23 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II Beta
[2010/03/21 02:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
[2010/03/20 11:42:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\Unused Desktop Shortcuts
[2010/03/20 11:22:17 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/03/15 01:37:48 | 000,000,000 | ---D | C] -- C:\Program Files\World of Warcraft
[2010/03/14 12:55:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Blizzard Entertainment
[2009/12/10 21:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/05/13 00:30:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/05/08 03:56:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/11/10 19:48:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/29 23:11:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/29 23:11:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Thu Apr 08, 2010 9:27 pm

========== Files - Modified Within 30 Days ==========

[2010/04/08 18:01:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/04/08 17:23:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/08 14:23:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/08 12:47:29 | 000,454,170 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/08 12:47:29 | 000,074,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/08 12:47:28 | 000,538,676 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/08 12:45:53 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/08 12:45:37 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/08 12:45:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 12:45:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 12:45:25 | 000,117,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/08 12:44:36 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2010/04/08 12:44:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Spen\ntuser.ini
[2010/04/08 12:44:31 | 005,379,218 | -H-- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\IconCache.db
[2010/04/08 12:34:15 | 000,000,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 12:26:59 | 000,018,640 | ---- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/08 12:24:11 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/04/08 12:20:34 | 000,002,639 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/08 12:12:26 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/04/08 04:08:33 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\iyxnciyqodnk.sys
[2010/04/08 04:07:15 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\irxyvcqntpwi.sys
[2010/04/08 02:14:18 | 000,385,193 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/08 02:00:22 | 000,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 00:40:13 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/08 00:39:48 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100408-021417.backup
[2010/04/07 23:28:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 21:32:39 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/07 20:26:54 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/04/07 12:46:26 | 000,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/07 02:01:38 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Igucur.dat
[2010/04/07 02:01:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qgivodexadapeq.bin
[2010/04/06 19:52:17 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 19:31:37 | 000,148,016 | ---- | M] () -- C:\Documents and Settings\Spen\My Documents\cc_20100406_193125.reg
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/06 00:16:43 | 000,201,728 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/06 00:03:12 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/06 00:00:44 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\Google Chrome.lnk
[2010/04/05 23:31:36 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:30:47 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:07:41 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100407-021746.backup
[2010/04/05 18:48:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/05 08:10:34 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/05 08:08:28 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/01 20:41:41 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 23:18:36 | 000,001,886 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2010/03/21 02:59:13 | 000,000,868 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/11 05:38:51 | 000,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\extmgr.dll
[2010/03/10 06:18:21 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 12:34:15 | 000,000,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 02:00:22 | 000,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 02:00:10 | 000,734,581 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\rydxuu.exe
[2010/04/07 23:28:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 23:22:33 | 000,002,639 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/04/07 23:20:27 | 000,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2010/04/07 23:17:44 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2010/04/07 23:17:43 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2010/04/07 23:17:43 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2010/04/07 22:15:50 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2010/04/07 22:14:05 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 22:14:04 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 20:26:53 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/04/07 20:26:48 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/07 20:25:10 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/07 20:25:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/07 20:25:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/07 20:25:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/07 20:25:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/07 12:46:26 | 000,000,757 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/06 19:52:17 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 19:31:29 | 000,148,016 | ---- | C] () -- C:\Documents and Settings\Spen\My Documents\cc_20100406_193125.reg
[2010/04/06 00:03:12 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/06 00:00:44 | 000,002,322 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\Google Chrome.lnk
[2010/04/05 23:52:20 | 000,201,728 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/05 23:39:03 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/05 23:30:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:30:38 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:17:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Igucur.dat
[2010/04/05 23:17:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qgivodexadapeq.bin
[2010/04/05 23:08:05 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/05 08:10:34 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/05 08:08:28 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/28 23:18:36 | 000,001,886 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2010/03/23 22:52:53 | 000,033,616 | ---- | C] () -- C:\WINDOWS\System32\atiapfxx.blb
[2010/03/21 02:51:23 | 000,000,868 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/03/20 11:22:20 | 000,000,250 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2009/12/12 21:34:43 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\fusioncache.dat
[2009/05/31 15:49:48 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\EGameEncrypt.dll
[2009/05/18 13:56:09 | 000,000,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/04/11 12:15:27 | 000,000,146 | ---- | C] () -- C:\Documents and Settings\Spen\default.pls
[2009/03/28 17:06:14 | 000,203,264 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/28 15:31:22 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/03/28 15:31:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/03/28 15:31:09 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/28 15:31:09 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/28 15:31:01 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/28 15:31:01 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/28 14:07:50 | 000,028,672 | -H-- | C] () -- C:\Documents and Settings\Spen\ntuser.dat.LOG
[2009/03/28 14:07:50 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Spen\ntuser.ini
[2009/03/28 14:07:49 | 008,650,752 | -H-- | C] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2009/02/15 07:43:11 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/12/03 23:28:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vzcontextmenu.dll
[2008/12/03 23:28:13 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DetectDxQT.dll
[2008/11/05 19:36:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/01 16:57:24 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 17:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/10/29 14:46:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/10/29 14:46:49 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/10/29 14:46:49 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2001/08/17 08:31:52 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2001/08/17 08:31:56 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2001/08/17 08:31:48 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2001/08/17 08:31:56 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/03 17:46:54 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2001/08/17 08:31:44 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2001/08/17 08:31:48 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2001/08/17 08:31:48 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2001/08/17 08:31:50 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2001/08/17 08:31:44 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/03 17:45:08 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/03 17:45:14 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/03 17:45:10 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/03 17:45:16 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/03 17:45:12 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2009/11/22 15:42:54 | 000,486,280 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\vsdatant.sys
[2008/04/13 11:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 06:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 17:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 17:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 17:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 17:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 17:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 17:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 17:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2010/03/02 20:07:44 | 000,053,248 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2erec.dll
[2008/04/13 17:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 17:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 17:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 17:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 17:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 17:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2004/08/04 00:56:44 | 000,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\hidserv.dll
[2008/04/13 17:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 17:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2008/10/29 23:08:28 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/06/13 20:26:14 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2010/04/07 20:26:54 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2008/10/29 23:08:28 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/11/30 16:17:14 | 000,000,081 | ---- | M] () -- C:\DVDPATH.TXT
[2008/10/29 23:08:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/10/29 23:08:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/03 17:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/04/08 12:12:26 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/04/08 12:45:24 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/04/07 19:43:01 | 000,002,741 | ---- | M] () -- C:\rapport.txt
[2009/11/03 21:45:35 | 000,000,209 | ---- | M] () -- C:\Shortcut to CD Drive.lnk
[2008/11/24 18:08:40 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/01/28 15:50:26 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/06/13 12:58:06 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/08/02 21:13:33 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/08/14 19:08:56 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/09/09 21:42:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/10/13 16:48:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/11/24 18:08:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/01/28 15:50:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/06/13 12:58:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/08/02 21:13:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/08/14 19:08:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/09/09 21:42:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/10/13 16:48:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm

< %PROGRAMFILES%\*. >
[2010/04/06 20:53:31 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2008/11/03 18:05:00 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/03/21 16:01:17 | 000,000,000 | ---D | M] -- C:\Program Files\Ask.com
[2010/03/23 22:54:54 | 000,000,000 | ---D | M] -- C:\Program Files\ATI
[2010/03/23 22:54:27 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2010/04/06 20:04:00 | 000,000,000 | ---D | M] -- C:\Program Files\Avira
[2010/04/06 19:24:49 | 000,000,000 | ---D | M] -- C:\Program Files\BitComet
[2010/04/05 08:04:11 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/01/12 23:50:04 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/04/05 23:30:50 | 000,000,000 | ---D | M] -- C:\Program Files\CheckPoint
[2009/07/04 02:33:51 | 000,000,000 | ---D | M] -- C:\Program Files\Comical
[2010/04/08 00:33:19 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/10/29 23:03:58 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2008/10/30 00:06:22 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Lite
[2009/12/21 22:52:59 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/03/31 20:17:38 | 000,000,000 | ---D | M] -- C:\Program Files\dumps
[2010/04/07 19:00:41 | 000,000,000 | ---D | M] -- C:\Program Files\FileASSASSIN
[2010/02/05 23:15:22 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/05/18 13:58:49 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/05/18 13:57:23 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/03/14 00:30:50 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/10/29 23:16:10 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/04/08 04:10:20 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/07/04 00:20:34 | 000,000,000 | ---D | M] -- C:\Program Files\IObit
[2010/04/05 08:10:14 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/04/05 23:08:35 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2008/10/30 00:09:21 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/05/18 14:18:08 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2009/12/25 22:09:38 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\MagicISO
[2010/04/07 12:46:27 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/08 12:41:09 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/06 12:56:41 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/12/10 21:27:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/04/08 12:16:59 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/02 17:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/04/08 00:43:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox 3.5 Beta 4
[2009/12/08 00:43:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2008/10/29 22:57:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/10/29 22:57:45 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/01/13 10:26:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/12/08 00:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2008/11/05 19:23:05 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2010/04/08 12:14:43 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/10/29 23:31:59 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/05/18 14:18:07 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/04/08 12:39:01 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/11/27 01:37:29 | 000,000,000 | ---D | M] -- C:\Program Files\PartyGaming
[2010/03/14 02:33:36 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStars
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\Postal2STP
[2009/11/27 01:37:27 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 v1.5
[2010/04/07 12:31:58 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2008/10/29 23:20:35 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2008/10/30 00:09:49 | 000,000,000 | ---D | M] -- C:\Program Files\RealVNC
[2009/12/08 00:43:42 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/04/07 02:08:55 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/01 00:39:52 | 000,000,000 | ---D | M] -- C:\Program Files\StarCraft II Beta
[2010/04/01 15:40:44 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2010/04/07 02:05:18 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2008/10/29 23:12:25 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/04/08 12:34:15 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2008/10/30 20:32:28 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2008/12/03 23:28:18 | 000,000,000 | ---D | M] -- C:\Program Files\VIDEOzilla
[2009/07/23 13:54:13 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/04/05 23:36:27 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Remote
[2009/07/23 13:52:58 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Toolbar
[2010/04/07 23:33:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2009/11/06 12:55:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/11/06 12:56:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2008/10/29 23:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/04/08 12:14:39 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/10/29 23:03:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Plus
[2008/10/29 23:07:13 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/10/30 00:29:36 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/03/28 19:37:26 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/04/05 23:21:46 | 000,000,000 | ---D | M] -- C:\Program Files\Zone Labs

< %appdata%\*.* >
[2008/10/29 14:48:34 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Spen\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/09 23:32:38 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: AHCIX86.SYS >
[2008/03/07 18:24:52 | 000,176,136 | ---- | M] (AMD Technologies Inc.) MD5=B6E729A575F84938A08D367E8352EB86 -- C:\ATI\SUPPORT\8-10_xp32_dd_ccc_wdm_enu_69561\SBDrv\RAID7xx\x86\ahcix86.sys

< MD5 for: ATAPI.SYS >
[2004/08/09 23:32:38 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 17:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/09 23:32:38 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sp3.cab:disk.sys
[2004/08/03 17:59:54 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 19:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2004/08/03 19:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/16 21:50:11 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=06CF9EEDB7E827205C6948C9DAF56974 -- C:\WINDOWS\$hf_mig$\KB944043-v3\SP3QFE\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 19:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2004/08/03 19:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/09 23:32:38 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2010/04/08 12:07:47 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sp3.cab:usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\usbstor.sys
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-04-08 19:41:23
< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Fri Apr 09, 2010 10:08 am

Hi...this infection is interesting. Please re-run ComboFix and post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sat Apr 10, 2010 12:50 am

I really wish there was no limit to message size, it's difficult for me to post my logs Goofy
It will take me like 10 posts to put this entire log on.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sat Apr 10, 2010 12:55 am

ComboFix 10-04-09.01 - Spen 04/09/2010 21:31:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\.COMMgr
c:\windows\system32\drivers\irxyvcqntpwi.sys
c:\windows\system32\drivers\iyxnciyqodnk.sys
.
---- Previous Run -------
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\kalebtt.sys
c:\windows\system32\drivers\zwhlwd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\system32\dllcache\cdrom.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_zwhlwd
-------\Service_wwykp
-------\Service_zwhlwd
-------\Legacy_irxyvcqntpwi
-------\Legacy_iyxnciyqodnk
-------\Service_irxyvcqntpwi
-------\Service_iyxnciyqodnk


((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:51 . 2010-04-08 05:15 -------- d-----w- c:\documents and settings\Spen\Local Settings\Application Data\AskToolbar
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-06 06:17 . 2010-04-07 09:01 120 ----a-w- c:\windows\Igucur.dat
2010-04-06 06:17 . 2010-04-07 09:01 0 ----a-w- c:\windows\Qgivodexadapeq.bin
2010-04-06 06:15 . 2010-04-06 06:24 201728 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-06 06:08 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-20 18:22 . 2010-03-21 23:01 -------- d-----w- c:\program files\Ask.com
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-03-29 02:37 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sat Apr 10, 2010 1:00 am

(((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 23:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\m27f2z3pza.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\avp32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mplay32xe.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-27 00:44 3883856 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
c:\program files\Winamp Remote\bin\OrbTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S0 anvjhxi;anvjhxi;c:\windows\system32\drivers\mcou.sys --> c:\windows\system32\drivers\mcou.sys [?]
S0 kmtex;kmtex;c:\windows\system32\drivers\docmkg.sys --> c:\windows\system32\drivers\docmkg.sys [?]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-09 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 23:50]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\bitcomet .exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\bitcomet .exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\bitcomet .exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sat Apr 10, 2010 1:00 am

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-09 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-09 21:44:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 04:44
ComboFix2.txt 2010-04-08 03:47

Pre-Run: 5,110,607,872 bytes free
Post-Run: 5,128,454,144 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 420B6FA475D27DFEC7098CF5EE0D231B

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sat Apr 10, 2010 1:02 am

Thanks again for helping me out.
I am dying to install my copy of Windows 7, but I don't feel safe entering the product key while my computer is infected.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Sat Apr 10, 2010 9:33 am

You cut out a lot of that ComboFix log. Luckily I caught the first part before it was cut, otherwise an important infection would not be removed.

-=-

I see you are running P2P applications: BitTorrent, uTorrent, and LimeWire. I suggest to read the following, and then decided whether you want to keep it or not: [You must be registered and logged in to see this link.]

-=-

You are using Ask Toolbar. I suggest to remove it, as it tracks user habits on their search engine. But that choice is up to you.

-=-

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

-=-

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

-=-

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    File::
    c:\windows\Igucur.dat
    c:\windows\Qgivodexadapeq.bin
    c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
    c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\m27f2z3pza.exe
    c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\avp32.exe
    c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\mplay32xe.exe

    RenV::
    c:\program files\ATI\ATICustomerCare\aticustomercare .exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
    c:\program files\Avira\AntiVir Desktop\avgnt .exe
    c:\program files\BitComet\bitcomet .exe
    c:\program files\CheckPoint\ZAForceField\forcefield .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Winamp Remote\bin\orbtray .exe
    c:\program files\Windows Live\Messenger\msnmsgr .exe
    c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
    c:\program files\Windows Live\Messenger\msnmsgr .exe

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hf8wefhuaihf8ewfydiujhfdsfdf]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mplay32xe.exe]

    Driver::
    kmtex
    anvjhxi

    Rootkit::
    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sun Apr 11, 2010 2:05 am

I must apologize for that.
I was having a lot of trouble fitting the entire log, is there any way I can send you the file? Anyway...

ComboFix 10-04-10.02 - Spen 04/10/2010 22:51:55.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\avp32.exe"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\m27f2z3pza.exe"
"c:\documents and settings\ADMINISTRATOR\Local Settings\Temp\mplay32xe.exe"
"c:\windows\Igucur.dat"
"c:\windows\Qgivodexadapeq.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\2269221376.dll
c:\windows\Igucur.dat
c:\windows\Qgivodexadapeq.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_anvjhxi
-------\Service_kmtex


((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-07 19:31 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 05:59 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-10 05:27 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
Code:
<pre>
c:\program files\BitComet\bitcomet  .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-10 22:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-10 23:02:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 06:02
ComboFix2.txt 2010-04-10 04:44
ComboFix3.txt 2010-04-08 03:47

Pre-Run: 5,141,135,360 bytes free
Post-Run: 5,123,846,144 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 907219E867BD6A96A3E30E6DEF6693DD

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Sun Apr 11, 2010 5:35 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    Code:
    killall::

    RenV::
    c:\program files\BitComet\bitcomet  .exe
    c:\program files\QuickTime\qttask  .exe
    c:\program files\Windows Live\Messenger\msnmsgr  .exe

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sun Apr 11, 2010 7:05 am

ComboFix 10-04-10.02 - Spen 04/11/2010 3:53.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1581 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 11:01 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
Code:
<pre>
c:\program files\BitComet\bitcomet  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\bitcomet .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-11 04:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 04:04:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 11:04
ComboFix2.txt 2010-04-11 06:02
ComboFix3.txt 2010-04-10 04:44
ComboFix4.txt 2010-04-08 03:47

Pre-Run: 4,755,378,176 bytes free
Post-Run: 4,716,523,520 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - CBDD80CB2E8123BF2ED306DF9D06E6D6

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Sun Apr 11, 2010 1:39 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    Code:
    killall::

    RenV::
    c:\program files\BitComet\bitcomet  .exe
    c:\program files\Windows Live\Messenger\msnmsgr .exe
    c:\program files\quicktime\qttask .exe

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Sun Apr 11, 2010 2:51 pm

ComboFix 10-04-10.02 - Spen 04/11/2010 11:33:40.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1574 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 18:47 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
Code:
<pre>
c:\program files\BitComet\bitcomet  .exe
</pre>

((((((((((((((((((((((((((((( SnapShot_2010-04-10_04.40.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 18:39 . 2010-04-11 18:39 16384 c:\windows\temp\Perflib_Perfdata_228.dat
+ 2010-04-11 05:46 . 2010-04-11 05:46 3940352 c:\windows\Installer\5603518.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-11 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 11:49:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 18:49
ComboFix2.txt 2010-04-11 11:04
ComboFix3.txt 2010-04-11 06:02
ComboFix4.txt 2010-04-10 04:44
ComboFix5.txt 2010-04-11 18:32

Pre-Run: 4,723,154,944 bytes free
Post-Run: 4,679,782,400 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - FC30FA6F72A0B2F3977D4AA2EB1BC5F1

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Sun Apr 11, 2010 11:00 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    * .exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Mon Apr 12, 2010 12:25 am

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:23 on 11/04/2010 by Spen (Administrator - Elevation successful)

========== filefind ==========

Searching for "* .exe"
C:\Documents and Settings\Spen\Local Settings\Application Data\Google\Update\googleupdate .exe --a--- 136176 bytes [06:59 06/04/2010] [06:59 06/04/2010] F02A533F517EB38333CB12A9E8963773
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

-=End Of File=-

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Mon Apr 12, 2010 12:53 am

Good work. Now once more:

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    Code:
    killall::

    RenV::
    C:\Documents and Settings\Spen\Local Settings\Application Data\Google\Update\googleupdate .exe
    C:\Program Files\BitComet\bitcomet .exe

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Mon Apr 12, 2010 1:19 am

ComboFix 10-04-11.02 - Spen 04/11/2010 22:09:10.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -7:00]
Running from: c:\documents and settings\Spen\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Spen\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-10 04:36 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-10 04:36 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-10 04:30 . 2010-04-10 04:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-08 19:28 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-04-08 19:26 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-04-08 19:26 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-04-08 19:26 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-04-08 19:22 . 2010-04-08 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\system32\scripting
2010-04-08 19:17 . 2010-04-08 19:17 -------- d-----w- c:\windows\l2schemas
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\en
2010-04-08 19:16 . 2010-04-08 19:16 -------- d-----w- c:\windows\system32\bits
2010-04-08 11:15 . 2010-04-08 11:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 11:10 . 2010-04-08 11:10 -------- d-sh--w- c:\documents and settings\Spen\IETldCache
2010-04-08 11:08 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 11:08 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 11:08 . 2010-04-09 14:43 -------- d-----w- c:\windows\ie8updates
2010-04-08 11:08 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 11:05 . 2010-04-08 11:05 -------- d-----w- c:\documents and settings\Spen\Pavark
2010-04-08 11:05 . 2010-04-08 11:08 -------- dc-h--w- c:\windows\ie8
2010-04-08 10:07 . 2010-04-08 10:07 -------- d-----w- C:\b9366766186a5e08fc2c
2010-04-08 06:28 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-04-08 06:23 . 2010-04-08 19:14 -------- d-----w- c:\windows\ServicePackFiles
2010-04-08 06:19 . 2008-04-14 00:12 76800 ------w- c:\windows\system32\qutil.dll
2010-04-08 06:17 . 2004-08-04 05:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2010-04-08 06:14 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-04-08 06:14 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-04-08 06:14 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-04-08 06:14 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-04-08 06:13 . 2009-12-04 18:22 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-08 02:00 . 2010-04-08 02:00 -------- d-----w- c:\program files\FileASSASSIN
2010-04-07 19:46 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:46 . 2010-04-07 19:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:46 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 09:07 . 2010-04-07 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 09:05 . 2010-04-07 09:05 -------- d-----w- c:\program files\Trend Micro
2010-04-07 03:25 . 2010-04-07 04:07 -------- d-----w- c:\windows\system32\NtmsData
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\documents and settings\Spen\Application Data\Avira
2010-04-07 03:04 . 2010-03-01 16:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-07 03:04 . 2010-02-16 20:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 03:04 . 2009-05-11 18:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-07 03:04 . 2009-05-11 18:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\program files\Avira
2010-04-07 03:04 . 2010-04-07 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-07 02:52 . 2010-04-07 02:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 06:52 . 2010-04-06 07:16 201728 --sha-w- c:\documents and settings\Spen\Local Settings\Application Data\2269221376.dll
2010-04-06 06:31 . 2010-04-06 06:31 -------- d-----w- c:\documents and settings\Spen\Application Data\CheckPoint
2010-04-06 06:21 . 2010-04-06 06:21 -------- d-----w- c:\program files\Zone Labs
2010-04-06 06:21 . 2010-04-07 09:18 -------- d-----w- c:\windows\Internet Logs
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\program files\iPod
2010-04-05 15:10 . 2010-04-11 05:51 -------- d-----w- c:\program files\iTunes
2010-04-05 15:10 . 2010-04-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 15:08 . 2010-04-11 10:53 -------- d-----w- c:\program files\QuickTime
2010-04-05 15:04 . 2010-04-05 15:04 -------- d-----w- c:\program files\Bonjour
2010-04-05 15:02 . 2010-04-05 15:02 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-01 03:17 . 2010-04-01 03:17 -------- d-----w- c:\program files\dumps
2010-03-29 06:18 . 2010-04-01 22:40 -------- d-----w- c:\program files\Steam
2010-03-26 07:39 . 2010-03-26 07:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Winamp Toolbar
2010-03-26 07:37 . 2010-04-06 06:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-03-24 05:56 . 2010-03-24 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-24 05:52 . 2010-03-03 04:02 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-24 05:52 . 2010-03-03 04:01 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-24 05:52 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-24 05:52 . 2010-03-03 03:07 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-24 05:52 . 2009-05-11 22:35 118784 ----a-w- c:\windows\system32\atibtmon.exe
2010-03-24 05:52 . 2010-03-24 05:54 -------- d-----w- c:\program files\ATI
2010-03-21 21:05 . 2010-03-21 21:05 2131336 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faabpk7i.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-03-21 09:51 . 2010-04-01 07:39 -------- d-----w- c:\program files\StarCraft II Beta
2010-03-21 09:51 . 2010-03-21 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-20 18:41 . 2010-03-20 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-03-17 21:18 . 2010-03-17 21:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-03-15 10:03 . 2010-03-15 10:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Blizzard Entertainment
2010-03-15 08:37 . 2010-04-10 08:50 -------- d-----w- c:\program files\World of Warcraft
2010-03-15 08:35 . 2010-03-15 08:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-03-14 19:55 . 2010-03-21 09:59 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-03-14 19:47 . 2010-03-14 19:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-14 19:41 . 2010-03-14 19:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-03-14 19:41 . 2010-04-05 00:14 -------- d-----w- c:\documents and settings\Administrator\Tracing
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-03-14 19:40 . 2010-03-14 19:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-03-14 06:26 . 2010-03-14 06:26 -------- d-----w- c:\documents and settings\Alex\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 05:17 . 2009-03-30 08:26 -------- d-----w- c:\documents and settings\Spen\Application Data\uTorrent
2010-04-11 06:28 . 2009-05-08 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-11 05:46 . 2009-04-23 07:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 05:43 . 2008-10-30 07:24 -------- d-----w- c:\program files\BitComet
2010-04-11 05:42 . 2009-06-10 23:29 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-09 04:31 . 2009-11-11 08:03 -------- d-----w- c:\documents and settings\Spen\Application Data\vlc
2010-04-09 01:24 . 2009-05-18 21:19 1 ----a-w- c:\documents and settings\Spen\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-08 19:34 . 2008-11-03 02:27 -------- d-----w- c:\program files\uTorrent
2010-04-08 19:26 . 2009-03-28 21:08 18640 ----a-w- c:\documents and settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 19:18 . 2008-10-30 06:07 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-08 06:33 . 2009-12-11 04:29 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-08 06:28 . 2010-04-08 06:28 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-04-08 04:32 . 2009-05-03 11:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\Spen\Application Data\Malwarebytes
2010-04-07 19:46 . 2009-03-28 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 19:39 . 2010-04-06 07:05 1323584 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-07 09:23 . 2009-06-10 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 02:43 . 2010-04-07 03:21 1601024 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-07 02:43 . 2010-04-07 03:21 8704 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-07 02:39 . 2010-04-07 02:43 1601024 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-04-07 02:39 . 2010-04-07 02:43 8192 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-04-07 02:23 . 2010-04-07 02:39 1601024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-04-07 02:23 . 2010-04-07 02:39 8704 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2010-04-06 16:06 . 2010-04-07 02:23 8192 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-04-06 16:06 . 2010-04-07 02:23 1601024 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2010-04-06 07:24 . 2010-04-06 07:24 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-06 07:18 . 2010-04-06 16:06 8704 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2010-04-06 07:18 . 2010-04-06 07:18 8192 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-06 07:18 . 2010-04-06 07:18 1599488 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-06 07:08 . 2010-04-06 07:17 864256 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-04-06 06:36 . 2010-04-06 06:36 36864 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-04-06 06:36 . 2010-04-06 06:36 1572864 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-04-06 06:36 . 2009-12-11 06:42 -------- d-----w- c:\program files\Winamp Remote
2010-04-06 06:30 . 2010-04-06 06:30 -------- d-----w- c:\program files\CheckPoint
2010-04-06 06:30 . 2010-04-06 06:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-06 05:49 . 2008-11-03 02:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-05 15:10 . 2008-11-04 01:04 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 04:03 . 2008-10-31 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-01 07:48 . 2008-10-30 05:39 17864 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 05:54 . 2008-10-30 05:36 -------- d-----w- c:\program files\ATI Technologies
2010-03-20 18:37 . 2008-11-04 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2010-03-18 01:33 . 2008-10-31 02:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-03-14 19:45 . 2008-10-31 02:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-03-14 12:49 . 2009-08-13 01:34 -------- d-----w- c:\documents and settings\Alex\Application Data\vlc
2010-03-14 09:33 . 2008-11-07 01:52 -------- d-----w- c:\program files\PokerStars
2010-03-14 07:30 . 2008-10-30 06:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 06:32 . 2009-07-18 19:39 -------- d-----w- c:\documents and settings\Alex\Application Data\LimeWire
2010-03-13 02:21 . 2010-02-06 16:30 -------- d-----w- c:\documents and settings\Alex\Application Data\dvdcss
2010-03-03 04:21 . 2008-09-24 03:09 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2008-09-24 01:56 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 03:44 . 2008-09-24 02:09 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2008-09-24 02:18 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2008-09-24 01:54 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2008-09-24 02:17 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2008-09-24 02:07 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2008-09-24 01:38 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2008-09-24 02:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2008-09-24 02:06 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2008-09-24 01:38 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2008-09-24 01:38 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2008-09-24 02:06 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2008-09-24 02:06 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2008-09-24 02:04 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2008-09-24 02:03 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2008-09-24 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2008-09-24 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2008-09-24 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2008-09-24 01:18 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2008-09-24 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2008-09-24 01:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2008-09-24 01:24 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-02 14:23 . 2009-07-17 01:59 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-25 19:55 . 2008-09-17 19:17 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-25 06:24 . 2004-08-04 02:56 916480 ------w- c:\windows\system32\wininet.dll
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
Code:
<pre>
c:\program files\BitComet\bitcomet  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-08 319792]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Alex\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-20 00:20 57344 -c--a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2009-06-15 01:24 307200 ----a-r- c:\program files\ATI\ATICustomerCare\aticustomercare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 03:03 152872 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COM+ Manager]
c:\documents and settings\Administrator\.COMMgr\complmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2008-10-05 03:24 235936 -c--a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-06 06:59 136176 ----atw- c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\googleupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-03-30 07:46 1086856 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 -c--a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-04-01 01:54 507904 -c--a-w- c:\program files\Winamp Remote\bin\orbtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-10-09 22:54 17021440 -c--a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
c:\program files\Software Informer\softinfo.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-03 06:26 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-01 03:17 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-05-08 10:55 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14634:TCP"= 14634:TCP:BitComet 14634 TCP
"14634:UDP"= 14634:UDP:BitComet 14634 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/6/2010 8:04 PM 135336]
S2 gupdate1c9cfcb98311892;Google Update Service (gupdate1c9cfcb98311892);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 3:56 AM 133104]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [10/13/2006 2:48 PM 50048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/30/2008 12:04 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 10:55]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 10:56]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: 使用迅雷下载 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm
IE: 使用迅雷下载全部链接 - c:\documents and settings\Spen\Desktop\thunder\Thunder\Program\getallurl.htm
FF - ProfilePath - c:\documents and settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Spen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-11 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1935655697-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:1d,43,1b,e5,21,0f,a6,e6,42,fb,76,42,c0,36,94,8e,fe,02,91,09,1e,
d6,00,e0,bc,02,7f,c0,ad,40,8b,26,85,c8,39,53,a1,27,f8,1e,4a,12,cb,45,01,07,\
"rkeysecu"=hex:04,5a,e4,57,be,78,e9,65,76,e7,15,b6,48,67,f8,26
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(2940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wpabaln.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-04-11 22:19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-12 05:19
ComboFix2.txt 2010-04-11 18:49
ComboFix3.txt 2010-04-11 11:04
ComboFix4.txt 2010-04-11 06:02
ComboFix5.txt 2010-04-12 05:08

Pre-Run: 4,728,664,064 bytes free
Post-Run: 4,694,097,920 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - BD9C80CBDE99B57EE366627C175BA91D

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Mon Apr 12, 2010 9:56 am

This just does not want to go away, does it?

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    * .exe
    *  .exe
    *  .exe
    *    .exe
    *    .exe
    *      .exe
    *      .exe
    *        .exe
    *        .exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Mon Apr 12, 2010 2:14 pm

Yeah I just don't understand why we cant seem to get rid of it, have you ever experienced anything like this? Thanks again man you are so patient with my inexperience.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:12 on 12/04/2010 by Spen (Administrator - Elevation successful)

========== filefind ==========

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
C:\Program Files\BitComet\bitcomet .exe --a--c 2497336 bytes [07:53 10/10/2008] [07:53 10/10/2008] 39E1C0FA52D86C04DDBE47F308319E8A

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

Searching for "* .exe"
No files found.

-=End Of File=-

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Mon Apr 12, 2010 9:44 pm

I am rather confused on why it will not go away. Goofy
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :dir
    C:\Program Files\BitComet

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Please wrap it in a Code tag.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Tue Apr 13, 2010 12:14 am

Code:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:14 on 12/04/2010 by Spen (Administrator - Elevation successful)

========== dir ==========

C:\Program Files\BitComet - Unable to find folder.

-=End Of File=-

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Tue Apr 13, 2010 12:20 am

Please open OTL -- Click None and paste this in the Custom Scans box:
Code:
%PROGRAMFILES%\*.

Then click Run Scan. It shall launch a log. Please post it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Tue Apr 13, 2010 1:26 am

Code:

OTL logfile created on: 4/12/2010 10:26:14 PM - Run 2
OTL by OldTimer - Version 3.2.1.0    Folder = C:\Documents and Settings\Spen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 4.24 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=#E56717]========== Custom Scans ==========[/color]
 
 
[color=#A23BEC]< %PROGRAMFILES%\*. >[/color]
[2010/04/10 22:42:17 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2008/11/03 18:05:00 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/03/23 22:54:54 | 000,000,000 | ---D | M] -- C:\Program Files\ATI
[2010/03/23 22:54:27 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2010/04/06 20:04:00 | 000,000,000 | ---D | M] -- C:\Program Files\Avira
[2010/04/05 08:04:11 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/01/12 23:50:04 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/04/05 23:30:50 | 000,000,000 | ---D | M] -- C:\Program Files\CheckPoint
[2009/07/04 02:33:51 | 000,000,000 | ---D | M] -- C:\Program Files\Comical
[2010/04/11 22:11:45 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/10/29 23:03:58 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2008/10/30 00:06:22 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Lite
[2009/12/21 22:52:59 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/03/31 20:17:38 | 000,000,000 | ---D | M] -- C:\Program Files\dumps
[2010/04/07 19:00:41 | 000,000,000 | ---D | M] -- C:\Program Files\FileASSASSIN
[2010/02/05 23:15:22 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/05/18 13:58:49 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/05/18 13:57:23 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/03/14 00:30:50 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/10/29 23:16:10 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/04/08 04:10:20 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/07/04 00:20:34 | 000,000,000 | ---D | M] -- C:\Program Files\IObit
[2010/04/05 08:10:14 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/04/10 22:51:53 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2008/10/30 00:09:21 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/05/18 14:18:08 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2009/12/25 22:09:38 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\MagicISO
[2010/04/07 12:46:27 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/10 22:51:55 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/06 12:56:41 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/12/10 21:27:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/04/08 12:16:59 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/02 17:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/04/10 22:42:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox 3.5 Beta 4
[2009/12/08 00:43:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2008/10/29 22:57:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/10/29 22:57:45 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/01/13 10:26:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/12/08 00:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2008/11/05 19:23:05 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2010/04/08 12:14:43 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/10/29 23:31:59 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/05/18 14:18:07 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/04/08 12:39:01 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/11/27 01:37:29 | 000,000,000 | ---D | M] -- C:\Program Files\PartyGaming
[2010/03/14 02:33:36 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStars
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\Postal2STP
[2009/11/27 01:37:27 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 v1.5
[2010/04/11 03:53:34 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2008/10/29 23:20:35 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2008/10/30 00:09:49 | 000,000,000 | ---D | M] -- C:\Program Files\RealVNC
[2009/12/08 00:43:42 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/04/07 02:08:55 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/01 00:39:52 | 000,000,000 | ---D | M] -- C:\Program Files\StarCraft II Beta
[2010/04/01 15:40:44 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2010/04/07 02:05:18 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2008/10/29 23:12:25 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/04/08 12:34:15 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2008/10/30 20:32:28 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2008/12/03 23:28:18 | 000,000,000 | ---D | M] -- C:\Program Files\VIDEOzilla
[2009/07/23 13:54:13 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/04/05 23:36:27 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Remote
[2009/07/23 13:52:58 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Toolbar
[2010/04/07 23:33:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2009/11/06 12:55:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/11/06 12:56:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2008/10/29 23:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/04/08 12:14:39 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/10/29 23:03:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Plus
[2008/10/29 23:07:13 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/10/30 00:29:36 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/04/10 01:50:53 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/04/05 23:21:46 | 000,000,000 | ---D | M] -- C:\Program Files\Zone Labs
< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Tue Apr 13, 2010 1:32 am

Open OTL. Click on Quick Scan, then post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Tue Apr 13, 2010 1:48 am

OTL logfile created on: 4/12/2010 10:45:08 PM - Run 3
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Spen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 4.23 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
PRC - [2010/04/02 17:05:39 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 17:12:40 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wpabaln.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Disabled | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 08:08:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/10 22:46:18 | 000,000,000 | ---D | M]

[2009/03/28 14:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Extensions
[2010/04/11 23:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\extensions
[2010/04/09 08:56:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/06 23:35:52 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\searchplugins\bing.xml
[2010/04/11 23:39:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/22 23:20:30 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

O1 HOSTS File: ([2010/04/11 22:14:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll (Thunder Networking Technologies,LTD)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: 使用迅雷下载 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm ()
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getAllurl.htm ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.18 64.59.144.19
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/29 23:08:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/12 21:11:54 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Spen\PrivacIE
[2010/04/12 21:10:55 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/11 22:12:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/10 23:43:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\Pure.Pwnage.TV.S01E05.HDTV.XviD-aAF - [ [You must be registered and logged in to see this link.] ]
[2010/04/10 01:49:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\My Documents\StarCraft II Beta
[2010/04/08 21:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\666
[2010/04/08 18:09:51 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
[2010/04/08 12:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/08 12:22:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/04/08 12:17:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/04/08 12:17:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/04/08 12:07:52 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/04/08 04:10:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Spen\IETldCache
[2010/04/08 04:08:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/04/08 04:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Pavark
[2010/04/08 04:05:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/04/08 03:07:06 | 000,000,000 | ---D | C] -- C:\b9366766186a5e08fc2c
[2010/04/07 23:23:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2010/04/07 20:26:45 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/07 20:25:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/07 20:25:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/07 20:25:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/07 20:25:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/07 20:24:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/07 20:22:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/07 19:00:40 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/04/07 13:52:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\SmitfraudFix
[2010/04/07 12:46:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/07 12:46:20 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/07 12:46:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/07 06:00:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/07 06:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 02:18:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Spen\Recent
[2010/04/07 02:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/07 02:05:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/06 21:14:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 20:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/06 20:25:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/04/06 20:22:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\Avira
[2010/04/06 20:04:02 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/06 20:04:01 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/06 20:04:01 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/04/06 20:04:01 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/06 20:04:01 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/05 23:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/05 23:31:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\My Documents\ForceField Shared Files
[2010/04/05 23:31:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\CheckPoint
[2010/04/05 23:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/05 23:30:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/05 23:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/05 23:21:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/05 08:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/05 08:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/05 08:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/31 20:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\dumps
[2010/03/29 19:36:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/10 21:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/05/13 00:30:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/05/08 03:56:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/11/10 19:48:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/29 23:11:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/29 23:11:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/12 22:23:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/12 18:48:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/12 14:23:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/12 12:35:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/12 12:02:42 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/11 23:42:41 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2010/04/11 22:14:47 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/11 22:14:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/11 22:14:31 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 22:14:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 22:14:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 22:13:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Spen\ntuser.ini
[2010/04/11 22:13:03 | 006,442,408 | -H-- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\IconCache.db
[2010/04/11 21:22:41 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\SystemLook.exe
[2010/04/11 19:42:23 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/10 23:49:49 | 000,203,264 | ---- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/10 22:46:18 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/09 21:28:22 | 000,000,744 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\commy.exe.lnk
[2010/04/09 07:46:47 | 000,518,514 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/09 07:46:47 | 000,454,170 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/09 07:46:47 | 000,074,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/09 07:44:47 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/08 18:24:32 | 000,181,642 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\OTL.doc
[2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
[2010/04/08 12:45:25 | 000,117,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/08 12:34:15 | 000,000,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 12:26:59 | 000,018,640 | ---- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/08 12:24:11 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/04/08 12:12:26 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/04/08 02:00:22 | 000,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 00:39:48 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100408-021417.backup
[2010/04/07 23:28:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 21:32:39 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/07 20:26:54 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/04/07 12:46:26 | 000,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/06 19:52:17 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/06 00:16:43 | 000,201,728 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/06 00:03:12 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/05 23:31:36 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:30:47 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:07:41 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100407-021746.backup
[2010/04/05 08:08:28 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 21:22:41 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\SystemLook.exe
[2010/04/10 22:46:18 | 000,001,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/09 21:28:22 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\commy.exe.lnk
[2010/04/08 18:24:32 | 000,181,642 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\OTL.doc
[2010/04/08 12:34:15 | 000,000,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 02:00:22 | 000,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 02:00:10 | 000,734,581 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\rydxuu.exe
[2010/04/07 23:28:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 23:22:33 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/04/07 23:20:27 | 000,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2010/04/07 23:17:44 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2010/04/07 23:17:43 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2010/04/07 23:17:43 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2010/04/07 22:14:05 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 22:14:04 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 20:26:53 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/04/07 20:26:48 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/07 20:25:10 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/07 20:25:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/07 20:25:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/07 20:25:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/07 20:25:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/07 12:46:26 | 000,000,757 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/06 19:52:17 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 00:03:12 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/05 23:52:20 | 000,201,728 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/05 23:39:03 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/05 23:30:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:30:38 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:08:05 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/05 08:10:34 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/05 08:08:28 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/12 21:34:43 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\fusioncache.dat
[2009/05/31 15:49:48 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\EGameEncrypt.dll
[2009/05/18 13:56:09 | 000,000,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/04/11 12:15:27 | 000,000,146 | ---- | C] () -- C:\Documents and Settings\Spen\default.pls
[2009/03/28 17:06:14 | 000,203,264 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/28 15:31:22 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/03/28 15:31:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/03/28 15:31:09 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/28 15:31:09 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/28 15:31:01 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/28 15:31:01 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/28 14:07:50 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Spen\ntuser.dat.LOG
[2009/03/28 14:07:50 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Spen\ntuser.ini
[2009/03/28 14:07:49 | 008,650,752 | -H-- | C] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2009/02/15 07:43:11 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/12/03 23:28:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vzcontextmenu.dll
[2008/12/03 23:28:13 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DetectDxQT.dll
[2008/11/05 19:36:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/01 16:57:24 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2009/12/08 09:09:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/10 23:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OrbNetworks
[2009/07/04 02:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2008/12/03 23:28:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\shctxex.vb
[2009/12/18 02:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thunder Network
[2009/12/18 02:21:17 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
[2010/04/05 08:10:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/19 09:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/16 19:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/13 14:38:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Braid
[2010/04/05 23:31:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\CheckPoint
[2009/03/31 15:04:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\DAEMON Tools
[2009/05/24 00:33:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\EVEMon
[2009/06/27 20:24:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\IObit
[2010/01/04 19:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\LimeWire
[2009/05/18 14:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\OpenOffice.org
[2009/03/31 15:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\SPORE
[2010/04/11 23:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\uTorrent
[2009/12/10 21:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Windows Desktop Search
[2009/12/10 22:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Windows Search

========== Purity Check ==========


< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Tue Apr 13, 2010 2:11 am

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :otl
    O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
    O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    [2010/04/08 03:07:06 | 000,000,000 | ---D | C] -- C:\b9366766186a5e08fc2c
    [2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
    [2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
    [2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
    [2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
    [2010/04/06 00:16:43 | 000,201,728 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll

    :commands
    [emptytemp]
    [reboot]


  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Tue Apr 13, 2010 2:50 am

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
File C:\Program Files\PartyGaming\PartyPoker\RunApp.exe not found.
C:\b9366766186a5e08fc2c\i386 folder moved successfully.
C:\b9366766186a5e08fc2c\amd64 folder moved successfully.
C:\b9366766186a5e08fc2c folder moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c moved successfully.
C:\Documents and Settings\All Users\Application Data\bQT88M2c moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB moved successfully.
C:\Documents and Settings\All Users\Application Data\GbW53PfLB moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 160065 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43258504 bytes
->Flash cache emptied: 405 bytes

User: Alex
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 11377128 bytes
->Flash cache emptied: 14674 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 4288 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 39 bytes
->Flash cache emptied: 1489 bytes

User: Spen
->Temp folder emptied: 11904 bytes
->Temporary Internet Files folder emptied: 3731832 bytes
->Java cache emptied: 1243 bytes
->FireFox cache emptied: 69254972 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2739 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1925431 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 112350 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04122010_234740

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Tue Apr 13, 2010 3:16 am

Please download [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Tue Apr 13, 2010 3:43 am

Code:
Cheetah-Anti-Rogue v1.4.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 04/13/2010 - Time:  0:43:02 - Arch.: x86
 
 
-- Malware removal tools check --
CCleaner
Trend Micro HijackThis 2.0.2
Malwarebytes' Anti-Malware
 
 
-- Known infection --
 
 
 
Extra message: Detection only.
 
 
EOF


Nothing showing in known infections, that a good sign?

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Tue Apr 13, 2010 12:08 pm

Let's see this one check..

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Wed Apr 14, 2010 12:41 am

Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/04/13 21:32
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6A50000   Size: 49152   File Visible: No   Signed: -
Status: -

==EOF==

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Wed Apr 14, 2010 11:21 am

Didn't display much.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Wed Apr 14, 2010 1:30 pm

Nope. How is your computer running? Any other popups?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Wed Apr 14, 2010 8:40 pm

It's running really smooth after those first few scans and deletions we did, and now I think it's back up to speed.
If those scans aren't finding anything I'm thinking we did it. Smile
Thanks so much Jay, I think it's safe for me to set up my Windows 7 now.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Wed Apr 14, 2010 9:30 pm

Let's clean up.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Let me know when that is done. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on Thu Apr 15, 2010 1:33 am

All done! Man you really have helped me tremendously.
I don't even know what to say.
Thank You!

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-07
OS OS : XP
Points Points : 24828
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on Thu Apr 15, 2010 9:25 am

You're welcome.

Happy Safe Surfing!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14317
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 303008
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum